develooper Front page | perl.perl5.porters | Postings from May 2013

[perl #114908] rename wrongly considered insecure in an elsif clause

Thread Previous
Bram via RT
May 29, 2013 00:23
[perl #114908] rename wrongly considered insecure in an elsif clause
Message ID:
On Sun May 26 17:15:32 2013, jkeenan wrote:
> On Fri Sep 14 10:24:05 2012, wrote:
> ... and renaming a file does not appear in that list of exceptions.  
> guess is that, for good reason or bad, renaming in taint mode is
> considered "any command that modifies files." 

This is not the case..

If you change the 'elsif' to an 'if' then the test case passes.

Also note that the message is not specifc to rename.
If you change the elsif to 'elsif (open my $fh, ">",, $source_filename) 
{' for example then the test will also fail.

There are two ways to make the test case work:
* change the 'elsif (rename ..) ' to if (rename ....)'
* make sure the condition in the if block does not use a tainted value

The problem here is that the taint mode of the if-block is leaking into 
the elsif block.. (which it shouldn't).

> So this seems to be a
> case of "works as designed" -- though perhaps the design is sub-

To me this behaviour does not appear to be 'works as designed' but 
looks more like a bug...

Best regards,


via perlbug:  queue: perl5 status: open

Thread Previous Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About