develooper Front page | perl.perl5.porters | Postings from October 1999

Re: printf is tainted!?

Thread Previous | Thread Next
From:
Chip Salzenberg
Date:
October 24, 1999 15:47
Subject:
Re: printf is tainted!?
Message ID:
19991024154743.E2593@perlsupport.com
According to Gurusamy Sarathy:
> On Sat, 23 Oct 1999 16:53:05 MDT, Tom Christiansen wrote:
> >I read this in perlfunc:
> >   To cope with broken systems that allow the standard locales to
> >   be overridden by malicious users, the return value may be tainted
> >   if any of the floating point formats are used and the conversion
> >   yields something that doesn't look like a normal C-locale floating
> >   point number.  This happens regardless of whether `use locale' is in
> >   effect or not.
> >Let us imagine that this is astonishing but true.  Shouldn't it be
> >in perlsec?  And shouldn't it be in perldelta?

Yes and yes.

> I don't really think the tainting behavior makes much sense.

Nor I.  If the locale can be overridden without Perl's knowledge, then
it can be overridden without the knowledge of other suid programs as
well.
-- 
Chip Salzenberg             - a.k.a. -              <chip@valinux.com>
           "I am the Lemon Zester of Destruction!"  //MST3K

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About