develooper Front page | perl.perl5.porters | Postings from October 2003

Re: [perl #24291] Taint checking against the wrong environment

Thread Previous | Thread Next
Rafael Garcia-Suarez
October 26, 2003 22:55
Re: [perl #24291] Taint checking against the wrong environment
Message ID:
Ton Hospel wrote:
> In article <20031027002524.7b444942.rgarciasuarez@_ree._r>,
> 	Rafael Garcia-Suarez <> writes:
> > Maybe do nothing and let people shoot in their feet.
> >
> > Maybe just forbid aliasing *ENV at all. (with the collateral damage
> > on $ENV etc.) (or couldn't this chained alias thing be solved
> > by looking at the GvEGV ?)
> Crashing, dieing, compile erors  etc. are all solutions (though
> certainly not my preferred solutions), but doing nothing isn't
> acceptable since it's a potential security hole.

I just fixed the coredump case. It was very data-dependent and didn't
always occur ; most of the time it only corrupted memory.

> (my expectation and preferred solution was already mentioned in my
> previous message)

I don't like special-casing "local *ENV" over all other "local *symbol".

Other proposal : in TAINT_ENV, the routine that checks for a tainted
environment, croak() if %ENV hasn't environment-magic, or if the hash
slot of the *ENV glob is empty. This modifies only the behaviour of perl
with -T.

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About