in reply to Tainted variable

See perlsec.

In this case they were looking for a way to bring tainted data in contact with a system command in a way that was absolutely safe, but would still trigger the taint test. If you hit the taint test you bomb out and get a false value. If you don't then you survive to the true return. Flip the truth and voila!

Incidentally I disagree with them on their comment about warnings. Consider the following test: 

sub is_tainted {
  eval { () = (join('',@_), kill 0) };
  if ($@) {
    if ($@ =~ /^Insecure dependency/) {
      return 1;
    }
    else {
      die $@;
    }
  }
  else {
    return 0;
  }
}

[download]
Not only does this pass warnings, but it at least tries to handle the possibility of other things going wrong. (eg a platform where kill is not implemented...)

Replies are listed 'Best First'.
Re: Tainted variable
by Dominus (Parson) on Apr 17, 2001 at 15:51 UTC
    Says tilly:
    a platform where kill is not implemented...
    It may be interesting to note that there's no reason why kill 0 can't be implemented on any system, even one that doesn't support other uses of kill.

    I wouldn't bother pointing this out, except that Chris Nandor added kill 0 support to MacPerl just a couple of weeks ago, for precisely this purpose.

    --
    Mark Dominus
    Perl Paraphernalia

[reply]

In Section Seekers of Perl Wisdom