but taint mode removes '.' from @INC
As of Perl 5.26, the current directory isn't in @INC any more, regardless of taint mode.
But now get an error Insecure dependency in require while running with -T switch at migrate.pl line 7.
It is safe to assume that paths returned by FindBin are tainted, and there's a reason behind that. For example, if someone creates a symlink to your script in some other directory and starts via the symlink, then FindBin will report the directory of the symlink! So, the script is loading relative to the symlink and not relative to your script - and this could be a malicious module. Protecting against this type of attack is an explicit purpose of taint mode.
The important question is: Against which sort of threats do you want to defend by using taint mode? If you load from a relative path, then someone might load and execute malicious code. It is the responsibility of your script to decide whether it wants to enable that by untainting the library before using it.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|