Beefy Boxes and Bandwidth Generously Provided by pair Networks Cowboy Neal with Hat
Welcome to the Monastery
 
PerlMonks  

Re^2: Taint, CGI and perl 5.10

by nextguru (Beadle)
on Mar 11, 2010 at 03:52 UTC ( #827934=note: print w/ replies, xml ) Need Help??


in reply to Re: Taint, CGI and perl 5.10
in thread Taint, CGI and perl 5.10

The following code exhibits the trouble. 

#!/usr/bin/perl -wT
use strict
my $tainteddata = $ARGV[0];
my ($untainteddata) = $tainteddata =~ /^([\w]+)$/;
open(my $fh, ">", $untainteddata) or die;
printf $fh <<EOMEOM;
removing the next line of output allows the script to work
the tainted data: $tainteddata
script works with or without the following line
the untainted data: $untainteddata
EOMEOM
close ($fh);
exit;

[download]
In trying other solutions, I've determined that the here document appears to be the culprit. The following code works fine. 
#!/usr/bin/perl -wT
use strict;
my $tainteddata = $ARGV[0];
my ($untainteddata) = $tainteddata =~ /^([\w]+)$/;
open(my $fh, ">", $untainteddata) or die;
printf $fh $tainteddata, "\n";
close ($fh);
exit;

[download]
This is curious to me. Why the different behavior for here documents? Original version of perl was 5.8.9, now 5.10.1.


Comment on Re^2: Taint, CGI and perl 5.10
Select or Download Code
Re^3: Taint, CGI and perl 5.10
by ikegami (Pope) on Mar 11, 2010 at 05:21 UTC

    Your problem can be demonstrated using 

    perl -Te'printf $ARGV[0]' foo

    [download]

    The first argument of printf (optional fh aside) is the format pattern. It makes sense to require the pattern to be trusted. Consider %n, for example.

    printf $fh <<EOMEOM;
    should be
    printf $fh "%s", <<EOMEOM;
    or simply
    print $fh <<EOMEOM;

    Your code is buggy, and 5.10 catches your bug.

[reply]
[d/l]
[select]
      That was it. Thanks much.
[reply]

      Man ... that was a *spot* the bug for these eyes. Just to clarify thats:

      printf $fh
      print $fh

      It took me a while to spot the f.

      -derby
[reply]
Re^3: Taint, CGI and perl 5.10
by rowdog (Curate) on Mar 11, 2010 at 12:44 UTC

    perldoc perl595delta says

    When perl is run under taint mode, printf() and sprintf() will now reject any tainted format argument.
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://827934]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (5)
As of 2013-05-23 22:29 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best material for plates (tableware) is:









    Results (493 votes), past polls