develooper Front page | perl.perl5.porters | Postings from October 1999

Re: printf is tainted!?

Thread Previous | Thread Next
Chip Salzenberg
October 24, 1999 15:47
Re: printf is tainted!?
Message ID:
According to Gurusamy Sarathy:
> On Sat, 23 Oct 1999 16:53:05 MDT, Tom Christiansen wrote:
> >I read this in perlfunc:
> >   To cope with broken systems that allow the standard locales to
> >   be overridden by malicious users, the return value may be tainted
> >   if any of the floating point formats are used and the conversion
> >   yields something that doesn't look like a normal C-locale floating
> >   point number.  This happens regardless of whether `use locale' is in
> >   effect or not.
> >Let us imagine that this is astonishing but true.  Shouldn't it be
> >in perlsec?  And shouldn't it be in perldelta?

Yes and yes.

> I don't really think the tainting behavior makes much sense.

Nor I.  If the locale can be overridden without Perl's knowledge, then
it can be overridden without the knowledge of other suid programs as
Chip Salzenberg             - a.k.a. -              <>
           "I am the Lemon Zester of Destruction!"  //MST3K

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About