home *** CD-ROM | disk | FTP | other *** search
/ ftp.cse.unsw.edu.au / 2014.06.ftp.cse.unsw.edu.au.tar / ftp.cse.unsw.edu.au / pub / doc / languages / perl / nutshell / ch7 / tainting < prev    next >
Encoding:
Text File  |  1992-10-18  |  888 b   |  33 lines
  1. $foo = shift;            # $foo is tainted
  2. $bar = $foo,'bar';        # $bar is also tainted
  3. $xxx = <>;            # Tainted
  4. $path = $ENV{'PATH'};        # Tainted, but see below
  5. $abc = 'abc';            # Not tainted
  6.  
  7. system "echo $foo";        # Insecure
  8. system "/bin/echo", $foo;    # Secure (doesn't use sh)
  9. system "echo $bar";        # Insecure
  10. system "echo $abc";        # Insecure until PATH set
  11.  
  12. $ENV{'PATH'} = '/bin:/usr/bin';
  13. $ENV{'IFS'} = '' if $ENV{'IFS'} ne '';
  14.  
  15. $path = $ENV{'PATH'};        # Not tainted
  16. system "echo $abc";        # Is secure now!
  17.  
  18. open(FOO,"$foo");        # OK
  19. open(FOO,">$foo");         # Not OK
  20.  
  21. open(FOO,"echo $foo|");        # Not OK, but...
  22. open(FOO,"-|") || exec 'echo', $foo;    # OK
  23.  
  24. $zzz = `echo $foo`;        # Insecure, zzz tainted
  25.  
  26. unlink $abc,$foo;        # Insecure
  27. umask $foo;            # Insecure
  28. eval $foo;            # Very insecure
  29.  
  30. exec "echo $foo";        # Insecure
  31. exec "echo", $foo;        # Secure (doesn't use sh)
  32. exec "sh", '-c', $foo;        # Considered secure, alas
  33.