You don't just want to blindly untaint. You want to validate the input.
That makes sense...thanks
So, would a sensible approach be to check that $Bin resembles one of the places I expect it to be run from?
Something like this (untested):
#!/usr/bin/perl -T
use CGI::Carp qw(fatalsToBrowser);
use FindBin qw($Bin);
if ($Bin =~ /^(\/home\/someuser\/somewebsite\/\w{2,4}\/cgi-bin)/) {
$Bin = $1;
}
use lib "$Bin";
use Site::HTML;
use strict;
use warnings;
The \w{2,4} allows for the different subdomains used for development, testing, etc.
I don't recall seeing anything like that in any other Perl code I've seen that uses FindBin and lib so I'm guessing there is a better way to do it... |