In trying other solutions, I've determined that the here document appears to be the culprit. The following code works fine.#!/usr/bin/perl -wT use strict my $tainteddata = $ARGV[0]; my ($untainteddata) = $tainteddata =~ /^([\w]+)$/; open(my $fh, ">", $untainteddata) or die; printf $fh <<EOMEOM; removing the next line of output allows the script to work the tainted data: $tainteddata script works with or without the following line the untainted data: $untainteddata EOMEOM close ($fh); exit;
This is curious to me. Why the different behavior for here documents? Original version of perl was 5.8.9, now 5.10.1.#!/usr/bin/perl -wT use strict; my $tainteddata = $ARGV[0]; my ($untainteddata) = $tainteddata =~ /^([\w]+)$/; open(my $fh, ">", $untainteddata) or die; printf $fh $tainteddata, "\n"; close ($fh); exit;
In reply to Re^2: Taint, CGI and perl 5.10
by nextguru
in thread Taint, CGI and perl 5.10
by nextguru
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |