I would still recommend turning on taint mode, though. It stops you from accidentally introducing security problems at places in your program you may not have thought of.

Will do that, thank you :-)
But how you mean it stops me? It somehow check my perl script and if it founds it not secure proof it denies the execution of it or displays warnings?

While your script is running, it will mark variables that come from outside the program as tainted. If you try to perform an unsafe operation with a tainted variable, the program will be killed instead of executing that operation.

However, it actually looks like Perl doesn't consider opening a file readonly to be an unsafe operation, which is surprising to me. So it wouldn't have solved your security problem, but it would help with something like this (which opens a file for append):

#!/usr/bin/perl -T

use warnings;
use strict;

use Scalar::Util qw(tainted);
use CGI qw(:standard);
BEGIN {
  if ($ENV{REQUEST_METHOD}) {
    eval 'use CGI::Carp qw(fatalsToBrowser)';
  }
}
use constant EOL => $ENV{REQUEST_METHOD} ? "<br>\n" : "\n";
if ($ENV{REQUEST_METHOD}) {
  start_html();
}

my $file = param('file')
  or die "No filename given";

# The next 3 lines will untaint the variable.
$file =~ /^(\w+)$/
  or die "illegal filename\n";
$file = $1;

printf "\$file is%s tainted.".EOL,tainted($file)?"":"n't";
open(F,">> /tmp/$file")
  or die "Couldn't open file";
print F "Wrote.\n";
close(F);

print "OK".EOL;

if ($ENV{REQUEST_METHOD}) {
  end_html();
}
[download]

Update: This version should work from the command-line or CGI.


--
sgifford's Web page

$ perl -lTe'system;print "RTFM"'
Insecure $ENV{PATH} while running with -T switch at -e line 1.
$ perl -le'system;print "RTFM"'
RTFM
[download]