de-taint doesn't work after upgrading perl

M

mickjames

Hi,

In a cgi script I'm detainting an input variable as
$FORM{'input'} =~ tr/A-Z//cd;
and then passing it to a system call as
system "proggy",$FORM{'input'};

It was working in old perl 5.6 but doesn't in 5.8.
Perl complains about "Insecure dependency".
How should it be detainted now?

Thanks much!
 
G

Gunnar Hjalmarsson

In a cgi script I'm detainting an input variable as
$FORM{'input'} =~ tr/A-Z//cd;
and then passing it to a system call as
system "proggy",$FORM{'input'};

It was working in old perl 5.6 but doesn't in 5.8.
Perl complains about "Insecure dependency".
How should it be detainted now?

Didn't know the above ever was an allowed way to untaint. This is an
equivalent that does untaint:

$FORM{'input'} = join '', $FORM{'input'} =~ /[A-Z]/g;

Please also study

perldoc perlsec
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top