Menu
▾
▴
Re: [Nms-cgi-devel] Re: [Nms-cgi-support] Re: Nms-cgi-support digest, Vol 1 #10 - 2 msgs
|
From: Jonathan S. <gel...@ge...> - 2002-01-16 09:15:12
|
On Sun, 13 Jan 2002, Nick Cleaton wrote:
> On Sun, Jan 13, 2002 at 06:49:44PM +0000, Jonathan Stowe wrote:
> > >
> > > IMO '$^T = 0;' is a bad, bad thing.
> >
> > But if we already trust all of our inputs ... File::Find is getting
> > worried because it doesnt believe it can trust the directory names ...
>
> I still don't like turning off taint checking, even for little
> bits of the code. It makes me cringe.
>
> > > I'd much sooner fall back to using readdir.
> > >
> >
> > We will still have the same problem :)
>
> If we do the find ourselves using readdir, we can detaint the
> return values from readdir and Cwd::cwd() before passing them
> to chdir (as File::Find can be made to do in later versions)
> or just avoid the issue by not using chdir (like post 5.6
> File::Find with the no_chdir option).
>
> > OK. Then we should do our best to mollify taint as far as File::Find is
> > concerned, then eval {} the find() and then fall back to our own version
> > on a $@ ? I have the code for one somewhere I think ...
>
> That'd work.
>
I knew there had to be a better solution :
#!/usr/local/old/bin/perl -wT
use subs 'File::Find::chdir';
use File::Find;
$ENV{PATH} = '/bin:/usr/bin:/usr/local/bin';
@ENV{qw(BASH_ENV)} = ('');
find(\&wanted,'.');
sub wanted
{
print $_;
}
sub File::Find::chdir
{
if ( $_[0] =~ m%([^\x00-\x1F]+)% )
{
return CORE::chdir($1);
}
else
{
return undef;
}
}
This had been rattling around in my brain since it first came up but I
never got round to trying it :)
You may or may not disagree with the detainting regex but I will apply
anyway ...
/J\
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|
