Tom Christiansen <tchrist <at> perl.com> writes: >To my mind, it's a bug that while(<>) in taint mode doesn't >realize that a raw @ARGV from the command line is unsafe. FWIW, I agree. Since currently <> uses unsafe open, taint should flag it. At the moment you get no error, until one of the arguments happens to contain a shell metacharacter, at which point the program dies with a taint error. It would be better to die for all cases because then the programmer has a chance to spot the problem sooner. But, again, this might prompt you to ask why just 'reading the files' should need taint checking. After all, there is no taint error for #!/usr/bin/perl -T use warnings; use strict; my $filename = <STDIN>; chomp $filename; open my $fh, '<', $filename or die $!; close $fh or die $!; It executes just fine, and that is entirely correct. The open() call is safe, in that no matter what filename it is passed it will do what it says on the tin and try to open a file of that name for reading. Taint checking and safe, predictable I/O commands are orthogonal. If you have a command like 3-arg open which doesn't rely on magic characters interpolated into a string to change its behaviour, then taint checking is not needed. Only inherently unsafe (powerful, but potentially dangerous) operations like eval "$code", /$regexp/, open($fh, "$magic_string") need the extra check. -- Ed Avis <eda@waniasset.com>