in reply to Re^2: Insecure dependency in open
in thread Insecure dependency in open
You have obviously read the perldiag section:
The tainting mechanism is turned on when you're running setuid or setgid, or when you specify -T to turn it on explicitly.
However I don't think you understood the timing. When perl starts it notices the mismatch in uid/gid values and at that point turns on taint mode. And barring magic, taint mode stays on from the start of the program onwards. You can't turn off taint mode just by un-mismatching the uid/gid values.
Start a perl program in setuid mode and you get taint mode for free. You didn't have to ask for it, but perl wants to protect you from yourself. This only sank in the most recent time I did it to myself. So then I went off and did the untainting manipulations needed to 'clean' the data, because the program _might_ be run in taint mode, depending on the conditions when starting it.