Re^2: taint mode, libraries and file path

In fact I'd go further and suggest explicitly wiping out %ENV, and only setting the items that you need. That will eliminate time bombs from various modules that might use environment variables in unexpected ways. (Particularly cases where after an upgrade, the module adds an environment variable that it didn't use before.)

Note that if you really did want something like PATH to be settable, you can untaint it (presumably with a sanity check) and set the value to the untainted version.

Comment on Re^2: taint mode, libraries and file path

Replies are listed 'Best First'.
Re^3: taint mode, libraries and file path by fizbin (Chaplain) on Aug 22, 2005 at 13:55 UTC
Good point. Note that perl's taint mode doesn't guard against other wild variables, such as LD_LIBRARY_PATH or LD_PRELOAD, both of which are on many systems just as dangerous as PATH. `-- @/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/; map{y/X_/\n /;print}map{pop@$_}@/for@/` [download]	[reply] [d/l]
Re^4: taint mode, libraries and file path by danmcb (Monk) on Aug 22, 2005 at 21:50 UTC
thank you all muchly for the help. I did get a fix by setting $ENV{PATH} = '' which is fine for now. I use other parts of ENV quite a lot though, esp REMOTE_USER as I am using htaccess and need to identify people. I realise it os not the most secure method, but it's fine for what I want. To be honest, I don't completely understand ENv and PATH and what they really do - I need to do some Apache reading I guess. Thanks again for the help	[reply]