[tpm] Irritation problem

Liam R E Quin liam at holoweb.net
Mon Apr 9 13:24:09 PDT 2012

On Mon, 2012-04-09 at 16:20 -0400, Chris Jones wrote:
> Does this example untaint the incoming $value data being fed into the 
> %confighash?

>          if( $cfgLine =~ /([\w]+)\t([-\w\/.]+)$/)
>          {
>                  my $key = $1;
>                  my $value =  $2;
>                  print ("Key: $key, Value: $value\n");
>                  $confighash{ $key } = $value;


It's up to you to check for things like ../../../etc/passwd though

>          }
> }
> close $fhIn;
> In the above example, I may be including some invalid path characters?
> The value can be a number or a valid path | path/filename statement.
Filenames on most operating systems can include letter, digits, hyphen,
but watch that \w probably uses your system's locale (and usually UTF8
if Linux), so é is allowed too... legal and fine if it's what you want.
If you mean / [a-z/.-] /i, then say that instead ;)


Liam Quin - XML Activity Lead, W3C, http://www.w3.org/People/Quin/
Pictures from old books: http://fromoldbooks.org/

More information about the toronto-pm mailing list