http://www.perlmonks.org?node_id=53931

BooK has asked for the wisdom of the Perl Monks concerning the following question:

This is maybe not the best place to ask this question... Anyway,

I noticed a big difference between perl 5.005_03 and 5.6.0... glob behaves quite differently under -T

Try this one-liner: 

C:\>perl5.exe -Te "print join', ',glob'*.txt'"
Insecure dependency in glob while running with -T switch at -e line 1.

[download]
according to perlsec, this is perfectly normal, and I don't complain... After all, in Perl under 5.6 this was done thanks to a subshell.

But now try this one:

C:\>perl56.exe -Te "print join', ',glob'*.txt'"
file1.txt, file2.txt, file3.txt

[download]
Well, in Perl 5.6, it is done with File::Glob, so why not.

But if you check in Amelia (page 727), you'll see that it's not the way glob should behave. You'll also notice glob is not in the list of taintedness examples page 560...

So, is this a bug in Perl 5.6? In Amelia? I tried this with ActivePerl 522 and 620, and with Perl 5.005_03 under FreeBSD and Perl 5.6.0 under Linux.

Replies are listed 'Best First'.
5.6 untained glob (Re: glob)
by tye (Sage) on Jan 24, 2001 at 18:54 UTC

    Running a test I find that readdir() doesn't return tainted data so 5.6's glob()s (there are choices of several now) shouldn't either (or readdir() is also broken) since they just do readdir() and return a subset of the values.

    I would certainly understand claiming that both readdir() and new glob()s should return tainted data (I could also understand automatically untainting any file names that don't contain unusual characters).

    Note also that just trying to do a glob() prior to 5.6 should fail if running in taint mode as doing the glob() is just opening up a huge list of security holes. ):

            - tye (but my friends call me "Tye")
[reply]

Back to Seekers of Perl Wisdom