http://www.perlmonks.org?node_id=827934


in reply to Re: Taint, CGI and perl 5.10
in thread Taint, CGI and perl 5.10

The following code exhibits the trouble. 
#!/usr/bin/perl -wT
use strict
my $tainteddata = $ARGV[0];
my ($untainteddata) = $tainteddata =~ /^([\w]+)$/;
open(my $fh, ">", $untainteddata) or die;
printf $fh <<EOMEOM;
removing the next line of output allows the script to work
the tainted data: $tainteddata
script works with or without the following line
the untainted data: $untainteddata
EOMEOM
close ($fh);
exit;

[download]
In trying other solutions, I've determined that the here document appears to be the culprit. The following code works fine. 
#!/usr/bin/perl -wT
use strict;
my $tainteddata = $ARGV[0];
my ($untainteddata) = $tainteddata =~ /^([\w]+)$/;
open(my $fh, ">", $untainteddata) or die;
printf $fh $tainteddata, "\n";
close ($fh);
exit;

[download]
This is curious to me. Why the different behavior for here documents? Original version of perl was 5.8.9, now 5.10.1.

Replies are listed 'Best First'.
Re^3: Taint, CGI and perl 5.10
by ikegami (Patriarch) on Mar 11, 2010 at 05:21 UTC

    Your problem can be demonstrated using 

    perl -Te'printf $ARGV[0]' foo

    [download]

    The first argument of printf (optional fh aside) is the format pattern. It makes sense to require the pattern to be trusted. Consider %n, for example.

    printf $fh <<EOMEOM;
    should be
    printf $fh "%s", <<EOMEOM;
    or simply
    print $fh <<EOMEOM;

    Your code is buggy, and 5.10 catches your bug.

[reply]
[d/l]
[select]
      That was it. Thanks much.
[reply]

      Man ... that was a *spot* the bug for these eyes. Just to clarify thats:

      printf $fh
      print $fh

      It took me a while to spot the f.

      -derby
[reply]
Re^3: Taint, CGI and perl 5.10
by rowdog (Curate) on Mar 11, 2010 at 12:44 UTC

    perldoc perl595delta says

    When perl is run under taint mode, printf() and sprintf() will now reject any tainted format argument.
[reply]

In Section Seekers of Perl Wisdom