sierrathedog04 has asked for the wisdom of the Perl Monks concerning the following question:

Line 50 of the Perl program elog2 contains the following statement:

my $UNAME = `/sbin/uname -n`;

When I run the program in taint mode I get the following warning: 

Insecure $ENV{PATH} while running with -T switch at elog2 line 50.

[download]

The following statement added to the top of the program makes that warning go away: 

#$ENV{PATH}= '/bin:/usr/bin:/usr/lbin/future';

[download]

The question is, why does the warning go away? Since line 50 specifies an absolute pathname I do not understand why taint cares whether there is an explicit path statement in the Perl program or not. What is the danger that the taint warning is guarding against?

Replies are listed 'Best First'.
Re: Surprising Taint Behavior
by no_slogan (Deacon) on May 05, 2001 at 00:03 UTC
    From perldoc perlsec:

    For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a known value, and each directory in the path must be non-writable by others than its owner and group. You may be surprised to get this message even if the pathname to your executable is fully qualified. This is not generated because you didn't supply a full path to the program; instead, it's generated because you never set your PATH environment variable, or you didn't set it to something that was safe. Because Perl can't guarantee that the executable in question isn't itself going to turn around and execute some other program that is dependent on your PATH, it makes sure you set the PATH.

[reply]

Back to Seekers of Perl Wisdom