http://www.perlmonks.org?node_id=127375


in reply to Trojan Horse? (taint mode)

Perl interpolates variables in double quoted strings safely. Everything in the variable is considered to be a literal. So
my $a = q#${system('rm -rf /')}#; print "The command in \$a is $a\n";
will print out:
The command in $a is ${system('rm -rf /')}
and not even attempt to remove my files. Likewise this
my $b = "The command in \$a is $a\n";
sets $b to the string we printed out. Printing $b does exactly the same as the above. The only way this is going to come and cause us grief is if we eval $a - as you've suggested.

Perhaps the author is mistaken or you've misunderstood the reference, can you post the paragraph or two? I've checked the book errata and it's not mentioned anywhere there, but it's a pretty big mistake if you haven't misunderstood it.

Even authors make mistakes. :)

Replies are listed 'Best First'.
Re: Re: Trojan Horse? (taint mode)
by quinkan (Monk) on Nov 26, 2001 at 05:33 UTC

    The only way this is going to come and cause us grief is if we eval $a ?

    But pause to consider that someone playing with your CGI script has managed to get output redirected to an executable shell script.... Which is often the aim of a malicious hack. If you don't want naughty words appearing in, for example, your system initialisation scripts, it might be a good idea to untaint everything input.