develooper Front page | perl.perl5.porters | Postings from March 2001

taint checks in tests

Thread Next
Chris Nandor
March 30, 2001 06:28
taint checks in tests
Message ID:
As many of you know, kill() is unimplemented on MacPerl.  So this test does
not work from glob-taint.t:

	# all filenames should be tainted
	@a = File::Glob::bsd_glob("*");
	eval { $a = join("",@a), kill 0; 1 };

Someone suggested I do something like this:

	# all filenames should be tainted
	@a = File::Glob::bsd_glob("*");
	eval { eval "\$x = '@a'" };

And it works, but it is, of course, a bit dangerous: if taint checks fail,
and someone put a malicious file in there ...

Now, it was also suggested that maybe a new directory is created (perhaps
using tmpnam), files are put in there, then read, then tested.  Or maybe I
could just filter out non-ASCII characters with a regex in the values in @a
(taintedness should persist).

Or maybe I should just implement a kill() in MacPerl that is a no-op,
except that it pukes if its first argument is tainted.


Chris Nandor            
Open Source Development Network

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About