Re: run script in taint mode

Your 'untaint' operation is unneeded for a hardcoded path like what you gave.

I stripped your code down to essentials:

#!/usr/bin/perl -wT
use strict;
use warnings;

use XML::Simple; # used to read the xml config file

eval {
   my $parser = new XML::Simple(keeproot => 0);
   my $config_file = "blah.xml";
   my $config_path = "/www/common/data";
   my $file= "$config_path/$config_file";

   my $_Config = $parser->XMLin($file);
   print "Content-Type: text/plain\n\n\$_config = $_Config \n";
 };
 if ($@) {
   print "Content-Type: text/plain\n\n$@\n";
 }
[download]

and created a 'blah.xml' file containing only '<data/>' and it ran fine for me.

You need to give the exact error message. I suspect it doesn't mean what you think it does.

Comment on Re: run script in taint mode Download Code

Replies are listed 'Best First'.
Re^2: run script in taint mode by Anonymous Monk on Oct 20, 2005 at 06:45 UTC
I c/p your code and I replaced the path and with my xml-file and ran it from the command line and I get the following error. `Content-Type: text/plain Name contains invalid start character: '<'` [download] I think it might has something to do with the data in the XML , but how should I untaint the data ?	[reply] [d/l]
Re^3: run script in taint mode by snowhare (Friar) on Oct 23, 2005 at 15:59 UTC
That doesn't sound like a taint error. It sounds like bad XML. That code value is a 'left arrow' (<). You might get an error like that if somewhere in your data you had something like '<<something '. Does my script work if you turn off 'taint'? If it does, then the next thing I would look for is something like an external entity in a DTD that is trying to import a file with a '<' character in the name....	[reply]