hesco has asked for the wisdom of the Perl Monks concerning the following question:

Just got this error code, when I indicated an html template file to grab over http. I guess a local file might avoid this Taint issue, Is that right? 
Insecure $ENV{PATH} while running with -T switch

[download]
But that would be a shame, as I have a drop in, ready to rock module called htmlgui.pm which with a few string substitutions wraps my forms in my clients' "look-n-feel" after using wget to grab it. I want them to be able to host and modify the template and have my forms track their changes, without further human intervention.

Can anyone please advise me how I might work around this taint issue given this?

Thanks,

-- Hugh

Replies are listed 'Best First'.
Re: How do I untaint data obtained from http?
by ikegami (Patriarch) on Apr 27, 2006 at 20:47 UTC
    You'd get the same taint error locally if you used -T locally. The fix is simple: set the PATH to something trusted. For example, 
    $ENV{PATH} = '';

    [download]
    or maybe 
    $ENV{PATH} = '/bin:/usr/bin:/usr/local/bin';

    [download]
[reply]
[d/l]
[select]
Re: How do I untaint data obtained from http?
by davidrw (Prior) on Apr 27, 2006 at 21:54 UTC
    also look at the perlrun manpage for -T .. it has a description and also points over to the perlsec manpage which discusses untainting in depth, including $ENV{PATH}
[reply]
[d/l]
[select]
Re: How do I untaint data obtained from http?
by cdarke (Prior) on Apr 27, 2006 at 22:22 UTC
    You can get this message running another program using system, qx (back-ticks), etc. Check if you are calling another program.
[reply]

Back to Seekers of Perl Wisdom