Re^2: fileno, taint and CGI.pm

but you could argue it is a bug in perl-5.10.0

A yes, Perl 5.10 that explains a few things. Perl 5.8 doesn't complain about an insecure dependency (just checked). I find it difficult to believe that of all the web applications in the world written with CGI.pm using new(), there isn't more chatter over breaking apps with a simple '-' URL value. But I can believe that the majority of those same apps are probably running under Perl 5.8, and maybe not even under taint mode at that.

Still, I'm dumbstruck by CGI's behaviour to use the parameter 'value' in the first place. Sure CGI is complicated, and I don't confess to understand what's going on here. This particular piece of code appears to be related to preserving parameter values between calls (a feature of CGI I've never needed). But what's the point of referencing a filename based on the parameter value?

Comment on Re^2: fileno, taint and CGI.pm

Replies are listed 'Best First'.
Re^3: fileno, taint and CGI.pm by Anonymous Monk on Mar 29, 2009 at 19:57 UTC
I knew you were going to ask :) `$filename = param('uploaded_file'); ...` [download] temporary file that CGI.pm creates during upload spooling (see below). The filename returned is also a file handle. You can read the contents of the file using standard Perl file reading... CGI::Simple avoids such overloading	[reply] [d/l]