note
BrowserUk
<blockquote><i>
My issue is that Perl tries to "guess" when I have looked at the the input ("gee, the programmer captured some match groups from a regexp match on that input, so it MUST mean that he sanitized it"), instead of letting me tell it when I think I have looked at it closely enough (for example, but invoking a method untainted() on a variable).
</i></blockquote>
<p>Perl isn't "guessing". It is following the clearly laid out rule for 'detainting'. That is:
<blockquote><i>
Perl presumes that if you reference a substring using $1, $2, etc., that you knew what you were doing when you wrote the pattern.
</i></blockquote>
<p>And it goes on to say:
<blockquote><i>
That means using a bit of thought--don't just blindly untaint anything, or you defeat the entire mechanism.
</i></blockquote>
<p>That may not be how <i>you think it should work</i>; but it is the way it <b>does work</b>. For better or worse.
<P>You can try putting forwards your arguments for a different -- presumably better in your eyes -- way of working; but given how long the current mechanism has been in place; that the mechanism is -- has to be -- deeply embedded within the Perl core; and the historic convention that says Perl does not break backward compatibility; and the net result is that you will have to learn to live with what is; because it is very unlikely to change at this point in time.
<div class="pmsig"><div class="pmsig-171588">
<hr />
<font size=1 >
<div>With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'</div>
<div>Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.</div>
<div>"Science is about questioning the status quo. Questioning authority". </div>
<div>In the absence of evidence, opinion is indistinguishable from prejudice.
<p align=right> [http://thebottomline.cpaaustralia.com.au/|RIP Neil Armstrong]</p></div>
</font>
</div></div>
1001997
1002102