Steven Schubiger wrote:
On Tue, Oct 04, 2005 at 07:13:01PM -0500, Steve Peters wrote:
The statement
"Not tested on VMS or MacOS, although there is platform specific code
for those." does scare me a bit though.
The same occured to me, although it doesn't necessarily imply that it doesn't
work; it has a real chance of failure though. We could still choose to lose
these tests in exchange for having the taint checks pass. Or we could select
another suitable implementation.
I am still trying to determine what is the status of tainting on VMS. I
am not 100% sure it is covering all things that should be tainted.
The test cases assume that the current working directory value can
become tainted. On VMS, I can always come up with an untainted value,
and in fact that is easier to do than to produce a tainted value.
On VMS, it is possible logical names that are not in the EXEC or higher
privileged mode should be considered tainted, and ones that in the EXEC
mode or higher should not be, if I understand what tainting is supposed
to do.
I do not think that Perl on VMS is making that distinction now, and I do
not know how to implement such a change.
Also the underlying C library still trusts the logicals names that could
be tainted, unless the Perl interpreter is installed with privilege and
attempts to dynamically load another image. In that case logical names
that could be modified by non-privileged users are ignored.
-John
[EMAIL PROTECTED]
Personal Opinion Only
