> So back to the taint patch. I assume (not being a taint person) that the
> working end of the patch is:
>
> + # Untaint.
> + $config =~ /^(.*)\z/s;
> + $config = $1;
>
> Is that the only thing that needs fixing for Inline to be taint-safe? If
> so I'll release 0.32 this week. If not, please give me a patch that just
> untaints the offending code so that Inline will work in -T environments.
I'm no expert on tainting, but a quick look through Inline.pm shows
me that while this is enough to untaint reading the config file, it
won't be enough for making directories or writing files. That means
that only previously cached inlined code (in previously created .Inline
directories) will work under taint. New or modified inlined code will
throw an "insecure dependency" error.
This definately makes developing under taint more difficult. (But not
impossible -- just keep the inlined code into a module and compile it
with "perl -c" from the command line.)
Also, I'd rather have untainting be an option that I have to set
explicitly, just to keep me mindful of what's happening.
use Inline ( C =>
Config =>
UNTAINT => 1,
...
);
Eric
