in reply to Re^3: Taint mode trap from Perl 5.6 to 5.8
in thread Taint mode trap from Perl 5.6 to 5.8

Please take a look at this experience: 
           my $msg = MIME::Lite->new( 
   
                           To      => "$emailsite",
                           From    => "$from",
                           Subject => "Contato >> $assunto",
                           Type    => 'text/html',
                           Data    => "$html" );

my $test = qq# $msg $emailsite $from $assunto $html #;                
+ 
          
if ( is_tainted($test) ) { die "tainted"; } else { die "not tainted"; 
+} # Dies "not tainted"

# $msg->send();

[download]
Ok, not tainted, shall work, right? No. When I go to the next step and uncomment the $msg->send(); line, the error remains! Without a single tainted variable! How comes!!!??

Also, how can I check the @cmd if the module is in my host's public module repository?

Thanks and sorry for the maddening problem

Replies are listed 'Best First'.
Re^5: Taint mode trap from Perl 5.6 to 5.8 - going mad!
by fizbin (Chaplain) on Sep 16, 2005 at 12:04 UTC
    I don't trust your is_tainted function. Try using the standard one instead: 
    my $msg = MIME::Lite->new(    
                           To      => "$emailsite",
                           From    => "$from",
                           Subject => "Contato >> $assunto",
                           Type    => 'text/html',
                           Data    => "$html" );

use Scalar::Util qw(tainted); # This module is included in perl 5.8
my %test = ('$msg' => $msg, '$emailsite' => $emailsite,
            '$from' => $from, '$assunto' => $assunto, '$html' => $html
+);

my ($k, $v);
while (($k, $v) = each %test)
{
  if (tainted($v)) {print STDERR "$k is TAINTED\n";}
  else {print STDERR "$k is not tainted\n";}
}

$msg->send();

    [download]
    By the way, where did you get your is_tainted function? It's not the standard one suggested in perlsec
    --
    @/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/;
map{y/X_/\n /;print}map{pop@$_}@/for@/

    [download]
[reply]
[d/l]
[select]
[reply]

In Section Seekers of Perl Wisdom