Re: Unlink under taint mode

I had another thought: does your code use locale? (I noticed that your location is Brazil.) Under use locale, perl -T won't trust /\w/ unless you specifically tell it so. For example, in your untaint you would use:

    {
      no locale;
      if ( $string =~ /([\w\-\_]+)/ ) { $clean_string = $1; } 
   
      else { die "ilegal character: $!"; }
    }
[download]

See Laundering and Detecting Tainted Data in perlsec, and the SECURITY section of perllocale.

the lowliest monk

Comment on Re: Unlink under taint mode Select or Download Code

Replies are listed 'Best First'.
Right on the point! by Andre_br (Pilgrim) on Apr 12, 2005 at 00:37 UTC
Hey Postulant, That´s exactly the problem! Thanks a lot! I do use a specific locale. I had already managed to clean the $string out, with a pattern that didn´t have the \w and didn´t know why I succeeded. That´s it. By the way, I´ve found a simpler way to test if a variable is tainted, without having to use any extra module: `if ( is_tainted($input) ) { die "tainted"; } else { die "not tainted"; + } sub is_tainted { return ! eval { join('',@_), kill 0; 1; }; }` [download] Thank you all! Take Care André	[reply] [d/l]

Replies are listed 'Best First'.

Right on the point!
by Andre_br (Pilgrim) on Apr 12, 2005 at 00:37 UTC

That´s exactly the problem! Thanks a lot! I do use a specific locale. I had already managed to clean the $string out, with a pattern that didn´t have the \w and didn´t know why I succeeded. That´s it.

By the way, I´ve found a simpler way to test if a variable is tainted, without having to use any extra module:


if ( is_tainted($input) ) { die "tainted"; } else { die "not tainted";
+ }

sub is_tainted {
   return ! eval { 
       join('',@_), kill 0; 
       1;     
   };
}
[download]

Take Care

[reply]
[d/l]