you cannot directly untaint a hash value in perl 5.6.1.
i should have tested better before i posted. below is a sample script you can run to see for yourself. it creates a file in the current directory named 'file'. then it asks you to type in 'file' (minus the quotes.) this taints whatever variable is assigned the value entered. i test three methods of untainting: direct scalar, temp scalar and reassign, and direct hash value. the direct hash value method fails.
#!/usr/bin/perl -T
use strict;
use warnings;
$ENV{PATH} = '';
{
local *FH;
open(FH, '>', 'file') or die "can't create 'file'";
}
print "type 'file' to test: ";
my $file_in = <>;
my ($file, %regex, %params);
$regex{A} = qr/^(\w+)$/;
# untaint scalar ($file) - works fine
$file = $file_in; # tainted
( $file ) = ( $file =~ /$regex{A}/ ); # UNTAINTED
{
local *FH;
open( FH, '+>', $file ) or die "$file : untaint \$file";
close FH;
}
# untaint scalar ($temp) - works fine
%params = ();
$file = $file_in; # tainted
$params{A} = $file; # tainted
my $temp = $params{A}; # tainted
( $params{A} ) = ( $temp =~ /$regex{A}/ ); # UNTAINTED
{
local *FH;
open( FH, '+>', $params{A} ) or die "$params{A} : untaint \$temp";
close FH;
}
# untaint scalar hash value ($params{A}) - fails!
%params = ();
$file = $file_in; # tainted
$params{A} = $file; # tainted
( $params{A} ) = ( $params{A} =~ /$regex{A}/ ); # STILL TAINTED
{
local *FH;
open( FH, '+>', $params{A} ) or die "$params{A} : untaint \$params
+{A}";
close FH;
}
the error i get on cygwin with perl561 is:
$ t-taint.pl
type 'file' to test: file
Insecure dependency in open while running with -T switch at ./t-taint.
+pl line 46, <> line 1.
i have modified my code to untaint a temp scalar and reassign to the hash like so:
# untaint parameters
for( keys %params )
{
( display_message( $messages{error} ) && exit )
unless ref($valid_params{$_}) eq 'Regexp';
my $temp = $params{$_}; ### <--- added this variable
if( $temp =~ /$valid_params{$_}/ ) ### <--- changed this line
{
$params{$_} = $1;
}
else
{
display_message( $messages{error} ) && exit;
}
}
and all is well with the world.
~Particle ;Þ
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
