in reply to no PerlIO $ENV{TAINTED};
in thread Perl 5.8.0 PerlIO insecure dependency

Actually there is nothing wrong with the behaviour you would get with the patch and your test case (removing the -T to simulate the effect of the patch as crlf will match ^[\w:]+$ 

[root@devel3 root]# TAINTED=crlf;export TAINTED
[root@devel3 root]# perl5.8.3 -e 'print $ENV{TAINTED},$/;'
crlf
[root@devel3 root]# perl5.8.3 -e 'use PerlIO $ENV{TAINTED};'
Can't locate PerlIO/crlf.pm in @INC (@INC contains: /usr/local/lib/per
+l5/5.8.3/i686-linux-thread-multi /usr/local/lib/perl5/5.8.3 /usr/loca
+l/lib/perl5/site_perl/5.8.3/i686-linux-thread-multi /usr/local/lib/pe
+rl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl .) at (eval 1) lin
+e 3.
[root@devel3 root]#

[download]

All that patching it to untaint \w: chars does is allow you to call an artitrary PerlIO::Widget::Whotnot. That module still has to exist or it will just explode.

You could make a good argument for a patch like: 

corak "No way hosay...." unless $layer =~ m/^([\w:]+)$/;
$layer = $1;
eval "....

[download]

cheers

tachyon

Replies are listed 'Best First'.
Re: Re: no PerlIO $ENV{TAINTED};
by PodMaster (Abbot) on Apr 13, 2004 at 04:05 UTC
    That's kind of not the point, I think the value should remain tainted and the user should be made to untaint. A patch of $layer =~ s/[^\w:]//g; would take care of that.

    And btw, that regex is not bulletproof. "foo and exit" and a whole bunch of other nasties could slip by.

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]

      And btw, that regex is not bulletproof. "foo and exit" and a whole bunch of other nasties could slip by.

      Incorrect. Not unless \w has suddenly started to match spaces rather than just [A-Za-z0-9_]. Please show me *ANY* nasty that will pass through. Without spaces, && || ; , etc you have no statement separator you can get into that eval to let you add to the require.

      my @nasties = (
    'foo and exit',
    "foo\nand\nexit\n",
    "hello",
    "foo\000exit",
);

for my $layer(@nasties) {
    print $layer =~ m/^([\w:]+)$/ ? "OK $layer\n" : "ERR $layer\n";
}

      [download]

      cheers

      tachyon

[reply]
[d/l]
[select]
        Thanks *cough* I must visit my eye doctor tomorrow *cough*cough* but it doesn't allow PerlIO::don't *cough*duck*

        MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
        I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
        ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]

In Section Seekers of Perl Wisdom