Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re^2: Taint, CGI and perl 5.10

by nextguru (Scribe)
on Mar 11, 2010 at 03:52 UTC ( #827934=note: print w/ replies, xml ) Need Help??


in reply to Re: Taint, CGI and perl 5.10
in thread Taint, CGI and perl 5.10

The following code exhibits the trouble.

#!/usr/bin/perl -wT use strict my $tainteddata = $ARGV[0]; my ($untainteddata) = $tainteddata =~ /^([\w]+)$/; open(my $fh, ">", $untainteddata) or die; printf $fh <<EOMEOM; removing the next line of output allows the script to work the tainted data: $tainteddata script works with or without the following line the untainted data: $untainteddata EOMEOM close ($fh); exit;
In trying other solutions, I've determined that the here document appears to be the culprit. The following code works fine.
#!/usr/bin/perl -wT use strict; my $tainteddata = $ARGV[0]; my ($untainteddata) = $tainteddata =~ /^([\w]+)$/; open(my $fh, ">", $untainteddata) or die; printf $fh $tainteddata, "\n"; close ($fh); exit;
This is curious to me. Why the different behavior for here documents? Original version of perl was 5.8.9, now 5.10.1.


Comment on Re^2: Taint, CGI and perl 5.10
Select or Download Code
Re^3: Taint, CGI and perl 5.10
by ikegami (Pope) on Mar 11, 2010 at 05:21 UTC

    Your problem can be demonstrated using

    perl -Te'printf $ARGV[0]' foo

    The first argument of printf (optional fh aside) is the format pattern. It makes sense to require the pattern to be trusted. Consider %n, for example.

    printf $fh <<EOMEOM;
    should be
    printf $fh "%s", <<EOMEOM;
    or simply
    print $fh <<EOMEOM;

    Your code is buggy, and 5.10 catches your bug.

      That was it. Thanks much.

      Man ... that was a *spot* the bug for these eyes. Just to clarify thats:

      printf $fh
      print $fh

      It took me a while to spot the f.

      -derby
Re^3: Taint, CGI and perl 5.10
by rowdog (Curate) on Mar 11, 2010 at 12:44 UTC

    perldoc perl595delta says

    When perl is run under taint mode, printf() and sprintf() will now reject any tainted format argument.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://827934]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (8)
As of 2014-08-28 10:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (259 votes), past polls