Re: [Expectperl-discuss] Disable Taint mode in Perl

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Normally taint mode is off by default.

However according to perldoc perlsec, if perl notices that the real and
effective uids and/or gids differ, it will turn taint mode on.

If you can make sure that the real and effective uids/gids are the same,
and make sure you are not explicitly invoking taint mode (-T), you
shouldn't have a problem.  

Otherwise I suppose a simple yet relatively niave way of dealing with
this would be to do something like this:

foreach my $k (@INC)
{
    if($k =~ /(.*))
    {$k = $1;}
}

This should preserve @INC as it is, but at the same time convince perl
that you have "inspected" the values, and thus they are no longer
tainted.

Note that you have NOT inspected the values, at least not very
thoroughly.

Always remember, just because I think something is true, doesn't make it
so.  If you take my advice, and it destroys your system, I will feel
badly.  I won't accept any responsibility, but I'll still feel bad for
you.

Have a nice day,
Chris

On Thu, 2007-01-04 at 13:51 +0000, Thomas Rosario wrote:
> Hi,
> I am using Perl v 5.6.1 on HP-UX 11.11i
> 
> Scenario is as follows:
> 1. General Ops user (opsusr) runs a C binary (mybin)
> mybin (owner: app Mode: 4750 [SUID bit is set])
> 2. The mybin file calls a shell script (myshell.sh) as app user
> 3. myshell.sh sets the PERLLIB and calls a perl file as app user
> 
> Problem:
> Perl complains about @INC since taint mode is on (effective user !=
> real user)
> 
> What I need:
> Disable taint mode completely on the UX server... no worries about
> security!
> 
> Can this be achieved and how?
> 
> Tx,
> Thomas
> 
> 
> 
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________ Expectperl-discuss mailing list Exp...@li... https://lists.sourceforge.net/lists/listinfo/expectperl-discuss