Re: Trojan Horse? (taint mode)


good chemistry is complicated, and a little bit messy -LW
	PerlMonks

Re: Trojan Horse? (taint mode)

by mattr (Curate)

on Nov 26, 2001 at 12:56 UTC ( [id://127508]=note: print w/replies, xml )

Need Help??

in reply to Trojan Horse? (taint mode)

I can't figure out why you would ever want to execute/eval untainted CGI input as-is. And I don't know if I'd trust Perl's CGI tainting to keep my evals safe from those curly brackets.. paranoia is good there.

As far as standard input, you are worried about a user maliciously erasing all their own files? Or are you allowing users to run suid? Context?

update 2002.1.26 sorry I missed your/blakem's quotation.

Comment on Re: Trojan Horse? (taint mode)

Replies are listed 'Best First'.

Re: Re: Trojan Horse? (taint mode)
by IraTarball (Monk) on Nov 26, 2001 at 21:37 UTC

tersely quoted

blakem

I can't figure out why you would ever want to execute/eval untainted CGI input as-is

Yeah, that does sound dangerous. That's why the quoted material caught my attention. It seemes to imply that code could be evaluated without my express permission but instead simply because I put it in double quotes. That kinda freaked me out.

Thanks,

Ira,

"So... What do all these little arrows mean?"
~unknown

[reply]

In Section Seekers of Perl Wisdom