Insecure $ENV{PATH} while running with -T switch

arief has asked for the wisdom of the Perl Monks concerning the following question:

hi,
please help me. i have code in perl module file. when i submit the button in web, i want to call an external script perl.
here is my code in perl module file.

package web::modify::send;
use strict;
use warnings FATAL => 'all';
no warnings 'redefine';

sub send{
        my $s = shift;
        my $op = $s->param('Submit');

        eval {
           if($op eq 'send'){
             system("./../bin/perl1.pl >> /log/file/perl1.log 2>&1 &")
+;
           }
        };

        return;
}

1;
[download]

and i have an warning like this:
[Mon Feb 29 11:54:38 20] [warn] Insecure $ENV{PATH} while running with -T switch at /home/file/web/modify/send.pm line 1230.\n

Comment on Insecure $ENV{PATH} while running with -T switch Download Code

Replies are listed 'Best First'.
Re: Insecure $ENV{PATH} while running with -T switch by Corion (Patriarch) on Feb 29, 2016 at 07:50 UTC
See perltaint. The best approach is to either avoid invoking the shell by removing the redirection or to explicitly set up `$ENV{PATH}` to a trusted value. In your case, likely the following will suffice: `$ENV{PATH} = '/bin:/usr/local/bin';` [download] If the external program `perl1.pl` will be sending mail, maybe you also need to add the directory where the `sendmail` program lives to the path.	[reply] [d/l] [select]
Re: Insecure $ENV{PATH} while running with -T switch by Laurent_R (Canon) on Feb 29, 2016 at 07:31 UTC
The -T switch is for running your programs under the taint mode, which prevents you from using potentially hazardous data from the outside (including environment variables) without first sanitizing it (meaning, usually, checking the content with appropriate regexes).	[reply]