more useful options | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
In the course of testing a function that manipulated taint,
I tried to verify that some data was tainted. From this I
noticed something rather odd with taint (or, as Ovid put it,
"This is totally screwy."). Taint should affect
all data derived from outside the program itself, but I was
seeing user-supplied arguments as untainted.
This quick test which should show $match, $two and $ENV{PATH} as tainted:
However, when I tested it only $ENV{PATH} was found to be tainted. I tested this on four different computers with two different operating systems and a total of four different perl versions, and that was always the result. Here is the output (I've left off $ENV{PATH} because it was too long), called with the -b flag:
# version 5.005_03 built for i386-freebsd # FreeBSD our 4.4-RC FreeBSD 4.4-RC #7: Sun Aug 26 09:54:54 CET 2001 i386 # AND # FreeBSD ns1 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 i386 (offline mode: enter name=value pairs on standard input) a=foo Running... Perl version: 5.00503 Osname: freebsd Executable name: /usr/bin/perl zot is not tainted zot is not tainted foo is not tainted foo is not tainted 1 is not tainted 1 is not tainted ###################################### # v5.7.3 built for i686-linux-64int # Linux gremlin 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown # For some reason, this one didn't prompt me to enter the CGI arg # in offline mode. Running... Perl version: 5.007003 Osname: linux Executable name: /root/perl/bin/perl5.7.3 zot is not tainted zot is not tainted is not tainted is not tainted 1 is not tainted 1 is not tainted ###################################### # v5.6.0 built for i386-linux # Linux gremlin 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown (offline mode: enter name=value pairs on standard input) a=foo Running... Perl version: 5.006 Osname: linux Executable name: /usr/bin/perl zot is not tainted zot is not tainted foo is not tainted foo is not tainted 1 is not tainted 1 is not tainted ###################################### # perl5 (revision 5.0 version 6 subversion 1) # linux funky 2.4.17-0.13smp #1 smp fri feb 1 10:30:48 est 2002 i686 unknown Running... Perl version: 5.006001 Osname: linux Executable name: /usr/bin/perl zot is not tainted zot is not tainted is not tainted is not tainted 1 is not tainted 1 is not tainted Ovid tested an earlier version of this test program which didn't use Getopt::Long or is_tainted_two (and had another string 'Ovid') and got this result:
D:\cygwin\home\Ovid>perl -T taint.pl a=1 zot is not tainted 1 is tainted Ovid is not tainted I was only able to think of a few possible explanations:
I am wondering if anyone is able to provide a sensible explanation for what I've noted. Update: Per a msged suggestion, I turned on warnings to see if there was the 'too late for -T' error, but there were only the expected 'use of unit value' warnings.
|
|