Front page | perl.perl5.porters |
Postings from November 2011
On Sat Nov 26 13:54:08 2011, jkeenan wrote: > The language in 'perlsec' is as the original poster reported. I ran his > test and confirmed his observations: > > ### > not ok 6 - ternary interpolation: not tainted > # Failed test 'ternary interpolation: not tainted' > # at 59916.t line 24. > ... > not ok 14 - modifier interpolation: not tainted > # Failed test 'modifier interpolation: not tainted' > # at 59916.t line 47. > ### > > If the behavior matched the documentation these tests would have passed. > > So, what action should be taken? I suppose the documentation should be clarified, but it would be nice to make tainting less paranoid and only taint values that we *know* hail from tainted sources. The latter might be too hard to implement. The current implementation taints any newly-created or assigned-to scalars in the current expression if any tainted value has been ‘looked at’, where ‘looked at’ happens any time a tied variable would have a FETCH. Does that make sense, or is my explanation too opaque? > > Thank you very much. > Jim Keenan -- Father ChrysostomosThread Previous