Pathologically Eclectic Rubbish Lister | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
Your example code assumes that the entirety of /usr and /bin are inherently safe. I cannot answer for you whether that is true on your webserver (which, IIRC, is a shared hosting server). edit:in light of afoken's additional points, I concur that your snippet was not sufficient./edit
Further, your example code ignores the remainder of the untainting in my example snippet, and shows that you didn't read the whole of perlsec, nor even the few paragraphs in the section called Cleaning Up Your Path. The delete was there for a reason; that reason was explained in the documentation I linked, but can be summed up in the statement that those other environment variables can affect execution similar to PATH. If you do not follow the complete advice, perl will still consider $ENV{PATH} tainted until you take care of those other environment variables as well.
But, while cleaning up PATH (and the related variables) is advisable from an un-tainting perspective, I think that Corion's advice in Re: Insecure CPAN module in taint mode is still even better: why fork out to an external process unless necessary? edit:see inline edits/edit In reply to Re^3: Insecure CPAN module in taint mode
by pryrt
|
|