"if" as modifier causes incorrect tainted messages?

[bwooster47]

I've searched for this issue but did not find any documents or discussions - does anyone know if this is expected, and if so, why?

In a CGI script running with -Tw, a "statement if something" causes script abort with message about insecure dependency while the same thing unrolled in an "if something {statement}" works fine.

Here's the entire runnable cgi script:

use strict;
use warnings;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
$ENV{PATH} = '';

my $query = new CGI;
my $input_boolean = $query->param('boolean');
print $query->header();

print "Test started. ";

print `/bin/echo TRUE. ` if ($input_boolean);
# Insecure dependency in `` while running with -T switch at /usr/lib/cgi-bin/cgi-test.pl line 14.

# But this line below is fine:
if ($input_boolean) { print `/bin/echo TRUE. `; }

print "Test done.";

exit (0);

 

[bwooster47]

whole expression is considered tainted (to avoid having to make taint
checks for every operator) so the eval (in my case) is disallowed. See
https://rt.perl.org/rt3/Public/Bug/Display.html?id=17867 .
Ben

Thanks, in case anyone from http://perldoc.perl.org/perlsec.html is reading, would be nice if that page explicitly had this particular example.
I should show that if modifier maintains untainted-ness, while an if-statement is fine.
That doc does mention that the phrase you mention above, but it also says that ternary operation ?: works differently: "Since code with a ternary conditional... is essentially an if-statement". From that, some people might make the incorrect jump that and if-modifier is also essentially an if-statement so that should be fine too! But it isn't...