We don't bite newbies here... much | |
PerlMonks |
Re: Vetting a CGI scriptby hmerrill (Friar) |
on Nov 12, 2003 at 17:12 UTC ( [id://306561]=note: print w/replies, xml ) | Need Help?? |
I've been using Perl for the last 6+ years, and I don't even remember cgi-lib.pl :) I don't see a problem printing possibly tainted data to a file, but it really depends on what that file will be used for. I suppose you could say that untainting that data would be the responsibility of the program that *reads* that file. But my inclination would be to untaint the data before writing it to the file. I don't have much experience with -T taint mode, but I believe that if you intend to add the -T flag, that you'll have to untaint all external data (like form data) coming in first before using it anyway - so it's kind of a mute point. As far as piping tainted data to sendmail, I thought I had read something somewhere about the flags to sendmail having something to do with security precautions, but I can't seem to find that. Read the perldocs on "How do I send mail?" by doing at a command prompt and search (using the forward slash "/") for "sendmail" - you'll find it. There are some slight sendmail flag differences between your code and what they suggest - I'm not sure if those differences are significant. HTH.
In Section
Seekers of Perl Wisdom
|
|