Phoenix.pm: So, what are the merits of -T on CGI scripts?

David Sinck sinck at ip100.starwarz.org
Thu Sep 2 18:33:23 CDT 1999


\_ sub untaint
\_ 
\_ { my($taint)=@_;
\_ 
\_   my $untaint =  $taint;
\_ 
\_   $untaint    =~ s/\.\.//g;
\_   $untaint    =~ s/\+/ /g;
\_   $untaint    =~ s/\;//g;
\_   $untaint    =~ s/\&//g
\_   $untaint    =~ s/\|//g;
\_   $untaint    =~ s/\>//g;
\_   $untaint    =~ s/\<//g;
\_   $untaint    =~ s/\?//g;
\_   $untaint    =~ s/\*//g;
\_   $untaint    =~ s/\]//g;
\_   $untaint    =~ s/\[//g;
\_   $untaint    =~ s/\'//g;
\_   $untaint    =~ s/\"//g;
\_   $untaint    =~ s/\,//g;
\_ 
\_   $untaint    =~ /^(.*)$/s;
\_   $untaint    = $1;
\_ 
\_   return($untaint); }
\_ 
\_ These two lines
\_ 
\_   $untaint    =~ /^(.*)$/s;
\_   $untaint    = $1;
\_ 
\_ are what actually remove the taint flag from
\_ the variable.  The other lines are just removing
\_ "questionable" characters (e.g. shell metacharacters)
\_ from the variable.
\_ 
\_ Tony

why not cast

$untaint =~ s/\.\.|[]+;&|<>?*'",]//go;
$untaint =~ /^(.*)$/s;
$untaint = $1;

and get them in one swell foop?  (YMMV on actual syntax....)

Well, other than clarity; but that's what comments are for.  :-)

David




More information about the Phoenix-pm mailing list