Re: RFC new File::Find

On Mon, 30 Aug 1999 jarausch@igpm.rwth-aachen.de wrote:

> On 30 Aug, Dan Sugalski wrote:
> > On Mon, 30 Aug 1999 jarausch@igpm.rwth-aachen.de wrote:
> > 
> >> I have modified a version of File::Find given by Ed <ed@chronos.net> .
> >> 
> >> 2nd) untainting - this needs some care
> >>      Using the current (5.005_61) File::Find in Taint mode doesn't work,
> >>      since e.g. readdir or readlink results will become tainted.
> > 
> > While I can understand needing to untaint inside of File::Find, the
> > filenames it returns really ought to be tainted. Using this module doesn't
> > make a filename of "rm -r /" any safer...
> 
> That depends on your 'untaint_pattern', the default wouldn't let this
> one pass through.

So when running in taint mode it only returns some of the filenames? I'm
not sure this is a good thing in general. Best yell really, *really* loud
about this one in the docs)

> So you say, if a directory name is tainted (I have to untaint it - since
> otherwise 'cd' breaks out) and then taint all decendents of this one???
> Even if, is there an efficient method to taint a string oneself?

When running in taint mode, the output of readdir should be
unconditionally tainted by the time they get returned. (They are unsafe
data, after all) Tainting in perl's tricky (ask Tom Phoenix about this
one), but probably the best thing to do is take the first returned
filename, stick ot somewhere, then use it to taint anything you need.

Alternately, bug Sarathy to include the Taint module in the core... :-)
(Tainting's trivial from XS code)

					Dan

• RFC new File::Find by jarausch
• Re: RFC new File::Find by merlyn
• Re: RFC new File::Find by Dan Sugalski
• Re: RFC new File::Find by jarausch
• Re: RFC new File::Find by Dan Sugalski
• Re: RFC new File::Find by jarausch
• Re: RFC new File::Find by Dan Sugalski