ichimunki has asked for the wisdom of the Perl Monks concerning the following question:

I made the mistake of not turning on taint checking a lot sooner in a project I'm working on. Now it's biting me where I least expect it, and I'd like to know how to fix this.

The application grabs web pages using libwww modules and displays them using Tk800 modules. I have a main script that pulls my packages together which now starts with #!/usr/bin/perl -wT

The application stops compiling almost immediately and kicks out a warning of "tainted at /usr/local/.../MainWindow.pm line 55. MainWindow->new() at lib/app/mod.pm line 50". All my module says on line 50 is $Main = MainWindow->new(). So is there a way to call the Tk module without getting on taint's bad side?

Replies are listed 'Best First'.
(tye)Re: Tk and taint
by tye (Sage) on Jan 18, 2001 at 19:51 UTC

    Tk is supposed to work when tainting is enabled (I knew this because there is a Tk::tainting() function that is used to skip certain steps when tainting is turned on).

    You are lucky in that the first Tk script I tried exhibited the same problem. Going against the advice of saints and savages I quickly decided to jump into the debugger to figure out where the problem really was.

    I quickly found and fixed the problem (OK, if you really hate debuggers for debugging, I suggest you tackle this particular problem on your own without using the debugger and see if you can find the problem in 5 minutes like I did -- seriously). The following paragraph tells how to fix the problem but is obscured for those who want to "take the challenge". Simply "download code" or cut'n'paste to get the solution (or just "select" the area and the colors will change so that the text is visible). 

    In Tk.pm, find "sub TranslateFileName" and insert the
following line as the last line of the "unless" block
(making it line 353 in my copy of Tk.pm):
$Home = ( $Home =~ m#^([-\w/.:,]+)# )  if  Tk::tainting;

    [download]

    Now if I can just manage to produce and submit a patch. ):

            - tye (but my friends call me "Tye")
[reply]
[d/l]
Re: Tk and taint
by clintp (Curate) on Jan 18, 2001 at 20:03 UTC
    What can be tainted? User provided information. And where might that come from? Command line, I/O, or the Environment.

    A quick check of: 

        #!/usr/bin/perl -wT
    use Tk;
    my $mw=new MainWindow;
    MainLoop;

    [download]

    And sure-enough, something's tainted. But Tk is unkind enough to tell us what exactly. My first instinct was "Environment" (which it always is with tainting) and this cured it:

        #!/usr/bin/perl -wT
    use Tk;
    %ENV=();
    my $mw=new MainWindow;
    MainLoop;

    [download]

    Granted, this cure is rather drastic. Now you get to go spelunking and find out what exactly what environment bits that Tk is interested in. In my case, under Win32, it was 2 environment variables that aren't mentioned at all in perlsec. Good luck!

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom