in reply to Re^2: Insecure CPAN module in taint mode
in thread Insecure CPAN module in taint mode
Further, your example code ignores the remainder of the untainting in my example snippet, and shows that you didn't read the whole of perlsec, nor even the few paragraphs in the section called Cleaning Up Your Path. The delete was there for a reason; that reason was explained in the documentation I linked, but can be summed up in the statement that those other environment variables can affect execution similar to PATH. If you do not follow the complete advice, perl will still consider $ENV{PATH} tainted until you take care of those other environment variables as well.
But if you believe the assumptions about those paths is valid, and if you have implemented but not shown the other advice mentioned, then your code seems a reasonable way of making sure that only the "safe" path elements are included. edit:struck out; see afoken's additional points for why your code still isn't a reasonable way to trim the PATH/edit
But, while cleaning up PATH (and the related variables) is advisable from an un-tainting perspective, I think that Corion's advice in Re: Insecure CPAN module in taint mode is still even better: why fork out to an external process unless necessary?
edit:see inline edits/edit
|
---|
Replies are listed 'Best First'. | |
---|---|
Re^4: Insecure CPAN module in taint mode
by Bod (Parson) on Jul 06, 2021 at 22:22 UTC | |
by pryrt (Abbot) on Jul 06, 2021 at 22:29 UTC | |
by Bod (Parson) on Jul 07, 2021 at 17:32 UTC |