On Tue, Jul 15, 2003 at 04:30:35PM +0300, Stas Bekman wrote:
> Peter B. Ensch wrote:
>
> >>FWIW, I use the following code when I need to use ``|qx:
> >>
> >>local $ENV{PATH} = "/bin:/usr/bin";
> >>local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
> >
> >But this code must be used in each scope where you intend to use
> >backticks, a system call Etc. Is there no way to untaint your
> >PATH environment one time for the script or handler?
>
> If you write code used by other people this is probably the only way to go.
> This is because you want to control the setting. What if PATH gets
> untainted at the server startup, but then some other module sets a new
> tainted value to $ENV{PATH}? So it's a good habit to have it local to the
> code that you run.
>
> Besides helps to avoid forking external processes. If you can rewrite your
> code:
>
> foreach(`/bin/ls $path`) {
> <do something>
> }
>
> (which is probably not the real code), not to `` but to read the file in,
> and process it, you eliminate the whole problem altogether. I realize that
> this is not always possible.
>
> How about abstracting untaint and `` into a single function:
>
> sub backticks {
> local $ENV{PATH} = "/bin:/usr/bin";
> local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
> qx(@_);
> }
>
Stas,
Thanks for your explanation and suggestion. I'm a lot clearer on this
issue now.
P.
--
^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
Peter Ensch,
[EMAIL PROTECTED] A-1140 (214) 480 2333
^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
