Re: Do I really need to untaint from YAML::Tiny file?

If you check the read_string sub in Config::Tiny then you will see that the data are parsed from the config-file through the use of a regex. As a side-effect this untaints the data.

I'm not sure whether to consider this a feature or a bug.

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

Comment on Re: Do I really need to untaint from YAML::Tiny file? Download Code

Replies are listed 'Best First'.
Re^2: Do I really need to untaint from YAML::Tiny file? by Anonymous Monk on Mar 13, 2010 at 18:51 UTC
Thanks a lot for point me to that line in Config::Tiny. I was under the impression that a file was trusted. But I was wrong. The follow direct read from a file also produces a taint error. I guess I will have to try next from a database to check my assumptions on that front. `#!/usr/bin/perl -wT open (my $infile, '<', 'testyfin.txt'); my $ofile_name=<$infile>; my $file3=$ofile_name; print "\n"; print "Printing to file: " . $file3; print "\n"; open (my $outfile3, '>', $file3); print $outfile3 "hello from testyc.pl\n"; close($outfile3);` [download]	[reply] [d/l]

Replies are listed 'Best First'.

Re^2: Do I really need to untaint from YAML::Tiny file?
by Anonymous Monk on Mar 13, 2010 at 18:51 UTC

#!/usr/bin/perl  -wT
open (my $infile, '<', 'testyfin.txt');
my $ofile_name=<$infile>;
my $file3=$ofile_name;
print "\n";
print "Printing to file: " . $file3;
print "\n";
open (my $outfile3, '>', $file3);
print $outfile3 "hello from testyc.pl\n";
close($outfile3);
[download]

[reply]
[d/l]