develooper Front page | perl.perl5.porters | Postings from October 2003

Re: [PATCH] Re: [perl #24291] Taint checking against the wrong environment

Thread Previous | Thread Next
Rafael Garcia-Suarez
October 27, 2003 07:01
Re: [PATCH] Re: [perl #24291] Taint checking against the wrong environment
Message ID:
Ton Hospel wrote:
> If I understand correctly, the croak happens not on the localization
> of ENV, but when the system() tries to use it ?

Yes. I added the check for aliased *ENV in the same routine that
checks for insecure $ENV{XYZ}. (It's thus only called with taint
checks turned on.)

> That sounds fine for my library. It fixes the security hole, I can still
> fool with a fake env, and if the user tries to do a
> system/exec/qr during that time, he will get an error (I wasn't too sure
> about the proper behaviour for that last case anyways. The real PATH
> etc. will in fact have been set to safe values, but the user maybe
> expected his $ENV{PATH}=... to actually do something)

Why do you want to alias *ENV by the way ?
You could have done
    local %ENV = (k1 => v1, ...);
    local %ENV = %ENV;
    $ENV{k1} = v1; ...

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About