Re: perlsec question

People have told you what they are, good. IMHO however you are much better off resetting %ENV. Kill it, %ENV = ();. This way you know for sure you aren't passing anything bad. Or at the very least, explicitly pass only things you know are safe or you have sanitized.

my @PATH = ($ENV{PATH} =~ m/clean/);
%ENV = (
        PATH => join(':', @PATH);
        );
[download]

-- perl -p -e "s/(?:\w);([st])/'\$1/mg"

Comment on Re: perlsec question Select or Download Code

Replies are listed 'Best First'.
Re: Re: perlsec question by chip (Curate) on Dec 14, 2001 at 09:57 UTC
I should think that clearing `%ENV` would eventually bite you in the butt when you start using the code in question to run programs that depend on the environment. Granted there are times when it's appropriate -- running children from a setuid program, for example -- but most of the time it's just too big a hammer. -- Chip Salzenberg, Free-Floating Agent of Chaos	[reply] [d/l]
Re: Re: Re: perlsec question by belg4mit (Prior) on Dec 14, 2001 at 20:23 UTC
When all you have is a hammer everything looks like a nail :-D. Except of course having a swiss army chainsaw there is more than a hammer at our disposal. However, it surely cannot be too difficult to later clean and pass other environment variables as needed. Else one could say not clearing %ENV will eventually bite you in the butt because you have no idea what some clever author of an external program will rely upon and do with an environment variable ;-). `-- perl -p -e "s/(?:\w);([st])/'\$1/mg"`	[reply]


more useful options
	PerlMonks