G'day Bod,

I didn't see it mentioned anywhere in the thread, so I thought I'd point out a general problem that you could be experiencing.

Here's a taint_test module:

$ cat taint_test.pm
package taint_test;

use strict;
use warnings;

chdir +(split /:/, $ENV{PATH})[0];
[download]

Here's a script that tries to clean $ENV{PATH}:

$ cat check_taint_1.pl
use strict;
use warnings;

$ENV{PATH} = '/bin:/usr/bin';
use lib '.';
use taint_test;
[download]

But that fails:

$ perl -T check_taint_1.pl
Insecure dependency in chdir while running with -T switch at taint_tes
+t.pm line 6.
Compilation failed in require at check_taint_1.pl line 6.
BEGIN failed--compilation aborted at check_taint_1.pl line 6.
$
[download]

The problem here is that the assignment to $ENV{PATH} occurs at runtime, whereas loading taint_test occurs at compile time. The order of the statements makes no difference: compile time happens before runtime.

Here's a subtly different version of the first script:

$ cat check_taint_2.pl
use strict;
use warnings;

BEGIN { $ENV{PATH} = '/bin:/usr/bin'; }
use lib '.';
use taint_test;
[download]

And this one works:

$ perl -T check_taint_2.pl
$
[download]

Both assignment and loading occur at compile time; the order of the statements now matters.

Here's a third version of the script with the order of statements changed:

$ cat check_taint_3.pl
use strict;
use warnings;

use lib '.';
use taint_test;
BEGIN { $ENV{PATH} = '/bin:/usr/bin'; }
[download]

And, as expected, this fails:

$ perl -T check_taint_3.pl
Insecure dependency in chdir while running with -T switch at taint_tes
+t.pm line 6.
Compilation failed in require at check_taint_3.pl line 5.
BEGIN failed--compilation aborted at check_taint_3.pl line 5.
$
[download]

Bear this in mind for things other than untainting $ENV{PATH}.