Front page | perl.perl5.porters |
Postings from October 2003
Ton Hospel wrote:
>
> If I understand correctly, the croak happens not on the localization
> of ENV, but when the system() tries to use it ?
Yes. I added the check for aliased *ENV in the same routine that
checks for insecure $ENV{XYZ}. (It's thus only called with taint
checks turned on.)
> That sounds fine for my library. It fixes the security hole, I can still
> fool CGI.pm with a fake env, and if the user tries to do a
> system/exec/qr during that time, he will get an error (I wasn't too sure
> about the proper behaviour for that last case anyways. The real PATH
> etc. will in fact have been set to safe values, but the user maybe
> expected his $ENV{PATH}=... to actually do something)
Why do you want to alias *ENV by the way ?
You could have done
local %ENV = (k1 => v1, ...);
or
local %ENV = %ENV;
$ENV{k1} = v1; ...
Thread Previous
|
Thread Next