Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Re: proper untainting and use of ref

by particle (Vicar)
on Apr 17, 2002 at 18:39 UTC ( #159930=note: print w/replies, xml ) Need Help??


in reply to Re: proper untainting and use of ref
in thread proper untainting and use of ref

my problem is i've already untainted this data once. 
# ...snip...

# untaint parameters
for( keys %params )
{
    # !!!TODO!!! check 'ref' line for subtle bugs
    ( display_message( $messages{error} ) && exit )
        unless ref($valid_params{$_}) eq 'Regexp';
    if( $params{$_} =~ /$valid_params{$_}/ )
    {
        $params{$_} = $1;
    }
    else
    {
        display_message( $messages{error} ) && exit;
    }
}

[download]
so the data in %params should be untainted, no? but when it's accessed later, via

my $userfile = get_userfile( $config, $params{username} );

[download]
$userfile is now tainted, even though $params{username} should be untainted. am i missing something?

Update: modifying the get_userfile() sub like so:

sub get_userfile
{
    my ( $config, $username ) = ( shift, shift );

# add only this line: still tainted
# ( $config->{ users } ) = ( $config->{ users } =~ /^(.+)$/ );

# add only this line: untainted
# ( $username ) = ( $username =~ /^(.+)$/ );

    $config->{ users } . $username;
}

[download]
so $config and its data are not tainted. why is $params{ username } still tainted?

~Particle ;Þ

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://159930]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (5)
As of 2023-01-28 11:15 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found
    Notices?