in reply to Insecure $ENV{PATH} while running with -T switch

To expand for a moment on what quester and Ikegami have said above, . . .

Your $send_path assignment defines the path to an executable, not your environmental PATH variable. To do that follow quester's advice.

Any executable run from inside a perl script can in turn run any other executable in the PATH of the user which owns the process.

By using taint and then limiting the path to those where you need not fear any damage might be done, you make it safe for an anonymous browser to invoke an executable beyond the cgi script offered on your web server. And taint is there to warn you if you stray from the path.

Hope that adds some clarity

-- Hugh

if( $lal && $lol ) { $life++; }
  • Comment on Re: Insecure $ENV{PATH} while running with -T switch

In Section Seekers of Perl Wisdom