in reply to Taint checking, File::Find and Cwd

This is a known appropriate restriction of File::Find for 5.5.3, and unlikely to be changed no matter how many times you report it, because it needs to be tainted since the value is untrusted.

The new versions of File::Find include a user-controllable "I trust this" parameter for managed untainting, but you use these at your own risk: 

    `untaint'
       If find is used in taint-mode (-T command line switch or if EUI
+D !=
       UID or if EGID != GID) then internally directory names have to 
+be
       untainted before they can be cd'ed to. Therefore they are check
+ed
       against a regular expression *untaint_pattern*. Note, that all 
+names
       passed to the user's *wanted()* function are still tainted.

    `untaint_pattern'
       See above. This should be set using the `qr' quoting operator. 
+The
       default is set to `qr|^([-+@\w./]+)$|'. Note that the paranthes
+is
       which are vital.

    `untaint_skip'
       If set, directories (subtrees) which fail the *untaint_pattern*
+ are
       skipped. The default is to 'die' in such a case.

[download]

-- Randal L. Schwartz, Perl hacker

Replies are listed 'Best First'.
RE: Re: Taint checking
by ncw (Friar) on Sep 25, 2000 at 21:48 UTC
    Yes untaint is what I want here - I want to be able to say that I trust '/usr/bin' and just let it get on with it.

    It is a bit disappointing that this untaint stuff isn't mentioned in the File::Find documentation since it is obviously a well known stubmling block.

    Is there any way to upgrade File::File for perl 5.5.3 without upgrading to perl 5.6.0? I run 5.6.0 on my personal machine just to stay ahead, but I prefer 5.5.3 on the servers for its proven track record!

[reply]

In Section Seekers of Perl Wisdom