Re: Think beyond Taint and warnings


Keep It Simple, Stupid
	PerlMonks

Re: Think beyond Taint and warnings

by echo (Pilgrim)

on Sep 14, 2001 at 19:13 UTC ( [id://112442]=note: print w/replies, xml )

Need Help??

in reply to Think beyond Taint and warnings

I think it's worth mentionning that:

delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};   # Make %ENV safer
$ENV{PATH} = '/bin:/usr/bin:/usr/local/bin';
[download]

is not safe practice. With this code we still don't know what's left in %ENV, possibly a malicious environment variable can remain that will affect an application in unforeseen ways. One should not remove information one thinks is unsafe, but rather explicitely set information known to be safe. This is exactly the same mistake as trying to remove unsafe characters from a string before passing it to a shell: the secure way is to do the opposite, remove any character which is not from a known safe set. In the %ENV example I suggest recreating the hash from scratch with known safe values.

Comment on Re: Think beyond Taint and warnings Download Code

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://112442]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others avoiding work at the Monastery: (7)

As of 2024-04-23 18:39 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found