I'm generally dubious of constructs like "if $language ne 'english'". (Besides, should be "lc $language") .. are you certain there will never be another language ... Gernan .. Cree ... <div>
<br></div><div>On a Hungarian keyboard from Budapest</div><div><br></div><div>Tom<br><br><div class="gmail_quote">On Mon, Apr 9, 2012 at 6:10 PM, Chris Jones <span dir="ltr"><<a href="mailto:cj@enersave.ca">cj@enersave.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So to confirm:<br>
<br>
my $language = <data from outside the program>;<br>
<br>
my $index = "index.html";<br>
<br>
if( $language ne "english" )<br>
{<br>
$index = "indexo.html"<br>
}<br>
<br>
# $index is now tainted and<br>
<br>
<a href="$index"><br>
<br>
# throws and error when selected by the user<br>
<br>
If that summarizes my issue, it certainly explains the problems I have been having.<br>
<br>
A follow on question:<br>
Is data retrieved from a database considered tainted? The application uses data retrieved from a mysql database. Would this data also be considered tainted?<br>
The program uses DBI, DBD-mysql.<br>
<br>
<br>
<br>
<br>
<br>
At 11:48 PM 06/04/2012, Liam R E Quin wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Fri, 2012-04-06 at 21:11 -0400, Chris Jones wrote:<br>
> Uri<br>
> Thanks again for your help. I have one question about untainting<br>
> then files before opening.<br>
><br>
> Would not the split untaint the data:<br>
> my( $key, $value ) = split /\t/ ;<br>
<br>
No.<br>
<br>
The only ways to untaint data are to use them as keys in a hash (so $key<br>
is OK here, but $value is not) or to pick them out of a regular<br>
expression match with $1, $2, etc.<br>
The point of marking input data as tainted is so you can catch things<br>
like,<br>
my ($filename, $info) = split;<br>
system("ls $filename");<br>
and have filename be "/etc/group;reboot;" or something<br>
<br>
see "perldoc perlsec" for more info.<br>
<br>
><br>
> As long as there is no bad characters in the data that should untaint it?<br>
> Again the input config file contains:<br>
> infilename ../input<br>
> outfilename ../output<br>
><br>
> If I use:<br>
> my $outfilename = "$confighash{outfilename}";<br>
> my $modfilename = "$outfiilename".".mod"; #add the extension<br>
><br>
> Would not $modfilename be untainted?<br>
no. Also watch for the two i's in outfiilename.<br>
<br>
The general principle is that data from outside your program cannot be<br>
trusted (whereas data from inside your program _probably_ shouldn't be<br>
trusted :-)) and untrusted data must never be allowed to affect the<br>
world outside your program. Yes, your data file might be safe, but what<br>
if it wasn't? How does Perl know?<br>
<br>
[...]<br>
> Which leads to a question about declaring variable and scope:<br>
> my( $key, $value ) = split /\t/ ;<br>
><br>
> Are these two variables in scope each time through the loop? That is<br>
> why I declared them outside the while loop in my original version.<br>
<br>
They are in scope, yes -- but if you have<br>
<br>
while ($sun_shines) {<br>
my $cider = split;<br>
. . .<br>
}<br>
<br>
then there's a new $cider made each time around the loop.<br>
<br>
Hope that helps.<br>
<br>
Liam<br>
<br>
--<br>
Liam Quin - XML Activity Lead, W3C, <a href="http://www.w3.org/People/Quin/" target="_blank">http://www.w3.org/People/Quin/</a><br>
Pictures from old books: <a href="http://fromoldbooks.org/" target="_blank">http://fromoldbooks.org/</a><br>
</blockquote>
<br>
>><br>
Christopher Jones, P.Eng.<br>
Suite 1801, 1 Yonge Street<br>
Toronto, ON M5E1W7<br>
Tel. <a href="tel:416-203-7465" value="+14162037465" target="_blank">416-203-7465</a><br>
Fax. <a href="tel:416-946-1005" value="+14169461005" target="_blank">416-946-1005</a><br>
email <a href="mailto:cj@enersave.ca" target="_blank">cj@enersave.ca</a><br>
<br>
______________________________<u></u>_________________<br>
toronto-pm mailing list<br>
<a href="mailto:toronto-pm@pm.org" target="_blank">toronto-pm@pm.org</a><br>
<a href="http://mail.pm.org/mailman/listinfo/toronto-pm" target="_blank">http://mail.pm.org/mailman/<u></u>listinfo/toronto-pm</a><br>
</blockquote></div><br></div>