[tpm] Irritation problem

Liam R E Quin liam at holoweb.net
Fri Apr 6 20:49:10 PDT 2012


[sorry, resending from the right mail account]

On Fri, 2012-04-06 at 21:11 -0400, Chris Jones wrote:
> Uri
> Thanks again for your help.  I have one question about untainting 
> then files before opening.
> 
> Would not the split untaint the data:
> my( $key, $value ) = split /\t/ ;

No.

The only ways to untaint data are to use them as keys in a hash (so $key
is OK here, but $value is not) or to pick them out of a regular
expression match with $1, $2, etc. 
The point of marking input data as tainted is so you can catch things
like,
my ($filename, $info) = split;
system("ls $filename");
and have filename be "/etc/group;reboot;" or something

see "perldoc perlsec" for more info.

> 
> As long as there is no bad characters in the data that should untaint it?
> Again the input config file contains:
> infilename      ../input
> outfilename     ../output
> 
> If I use:
> my $outfilename = "$confighash{outfilename}";
> my $modfilename = "$outfiilename".".mod";  #add the extension
> 
> Would not $modfilename be untainted?
no. Also watch for the two i's in outfiilename.

The general principle is that data from outside your program cannot be
trusted (whereas data from inside your program _probably_ shouldn't be
trusted :-)) and untrusted data must never be allowed to affect the
world outside your program.  Yes, your data file might be safe, but what
if it wasn't? How does Perl know?

[...]
> Which leads to a question about declaring variable and scope:
> my( $key, $value ) = split /\t/ ;
> 
> Are these two variables in scope each time through the loop?  That is 
> why I declared them outside the while loop in my original version.

They are in scope, yes -- but if you have

while ($sun_shines) {
    my $cider = split;
    . . .    
}

then there's a new $cider made each time around the loop.

Hope that helps.

Liam

-- 
Liam Quin - XML Activity Lead, W3C, http://www.w3.org/People/Quin/
Pictures from old books: http://fromoldbooks.org/

-- 
Liam Quin - XML Activity Lead, W3C, http://www.w3.org/People/Quin/
Pictures from old books: http://fromoldbooks.org/
Ankh: irc.sorcery.net irc.gnome.org www.advogato.org



More information about the toronto-pm mailing list