On Tue, Jul 15, 2003 at 04:30:35PM +0300, Stas Bekman wrote: > Peter B. Ensch wrote: > > >>FWIW, I use the following code when I need to use ``|qx: > >> > >>local $ENV{PATH} = "/bin:/usr/bin"; > >>local @ENV{ qw(IFS CDPATH ENV BASH_ENV) }; > > > >But this code must be used in each scope where you intend to use > >backticks, a system call Etc. Is there no way to untaint your > >PATH environment one time for the script or handler? > > If you write code used by other people this is probably the only way to go. > This is because you want to control the setting. What if PATH gets > untainted at the server startup, but then some other module sets a new > tainted value to $ENV{PATH}? So it's a good habit to have it local to the > code that you run. > > Besides helps to avoid forking external processes. If you can rewrite your > code: > > foreach(`/bin/ls $path`) { > <do something> > } > > (which is probably not the real code), not to `` but to read the file in, > and process it, you eliminate the whole problem altogether. I realize that > this is not always possible. > > How about abstracting untaint and `` into a single function: > > sub backticks { > local $ENV{PATH} = "/bin:/usr/bin"; > local @ENV{ qw(IFS CDPATH ENV BASH_ENV) }; > qx(@_); > } >
Stas, Thanks for your explanation and suggestion. I'm a lot clearer on this issue now. P. -- ^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ Peter Ensch, [EMAIL PROTECTED] A-1140 (214) 480 2333 ^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^