in reply to perlsec question

People have told you what they are, good. IMHO however you are much better off resetting %ENV. Kill it, %ENV = ();. This way you know for sure you aren't passing anything bad. Or at the very least, explicitly pass only things you know are safe or you have sanitized.
my @PATH = ($ENV{PATH} =~ m/clean/); %ENV = ( PATH => join(':', @PATH); );

perl -p -e "s/(?:\w);([st])/'\$1/mg"

Replies are listed 'Best First'.
Re: Re: perlsec question
by chip (Curate) on Dec 14, 2001 at 09:57 UTC
    I should think that clearing %ENV would eventually bite you in the butt when you start using the code in question to run programs that depend on the environment.

    Granted there are times when it's appropriate -- running children from a setuid program, for example -- but most of the time it's just too big a hammer.

        -- Chip Salzenberg, Free-Floating Agent of Chaos

      When all you have is a hammer everything looks like a nail :-D. Except of course having a swiss army chainsaw there is more than a hammer at our disposal. However, it surely cannot be too difficult to later clean and pass other environment variables as needed. Else one could say not clearing %ENV will eventually bite you in the butt because you have no idea what some clever author of an external program will rely upon and do with an environment variable ;-).

      perl -p -e "s/(?:\w);([st])/'\$1/mg"