in reply to Re^7: pack() untaints data : bug or undocumented Perl 5.10 feature?
in thread pack() untaints data : bug or undocumented Perl 5.10 feature?
I though you were assuming only new code is run under new versions of the language system. You address that here, though.
Your other assumption is that "working properly" under 5.8.8 doesn't include failing with a Taint warning when a piece of tainted data makes it somewhere that matters. I think that's exactly proper, because the scalar that finally gets used for a file open or somesuch might have had its value assigned from different places based on different conditions. Remember that the taintedness follows the scalar value and not the variable.
if ( 1 == $x ) { ... # $y cleaned } else { ... # $y not cleaned $y = pack "A*", $y; if ( tainted( $y ) ) { $y =~ s/[;\\'"\*]//g; } } open my $file, '<', $y;
Yes, there are probably better ways that could've been written. However, pushing Taint.pm as a safety net means that perfectly written software isn't its target anyway.
|
|---|