I've got a tainting problem that might be solved by a philosophical rather than techinical solution, want to know what people think of it.
Lemme splain. I'm rejiggering the guts of Test::Harness, and one of the goals is to make it work under taint mode. Test::Harness obviously has to run Perl programms, and this involves using $^X. $^X is tainted. Even worse, $^X is often just "perl", which means $ENV{PATH} enters the picture. My solution to the problem is to manually use $ENV{PATH} to resolve a non-absolute $^X, detaint the result and use it in system or open or whatever. My thinking is that since this is the same data and logic that got us to the currently running perl binary, we can trust it implicitly. I can't think of how this might cause a security problem. Can anyone else? Of course, if there's a portable, safe, taint-clean way to run another perl program from perl that I'm overlooking, I'll use that instead. -- Michael G. Schwern <[EMAIL PROTECTED]> http://www.pobox.com/~schwern/ Perl6 Quality Assurance <[EMAIL PROTECTED]> Kwalitee Is Job One I'm going to have to hurt you on principle.