"if" as modifier causes incorrect tainted messages?

Discussion in 'Perl Misc' started by bwooster47@gmail.com, Mar 28, 2013.

  1. Guest

    I've searched for this issue but did not find any documents or discussions - does anyone know if this is expected, and if so, why?

    In a CGI script running with -Tw, a "statement if something" causes script abort with message about insecure dependency while the same thing unrolled in an "if something {statement}" works fine.

    Here's the entire runnable cgi script:

    use strict;
    use warnings;
    use CGI;
    use CGI::Carp qw(fatalsToBrowser);
    $ENV{PATH} = '';

    my $query = new CGI;
    my $input_boolean = $query->param('boolean');
    print $query->header();

    print "Test started. ";

    print `/bin/echo TRUE. ` if ($input_boolean);
    # Insecure dependency in `` while running with -T switch at /usr/lib/cgi-bin/cgi-test.pl line 14.

    # But this line below is fine:
    if ($input_boolean) { print `/bin/echo TRUE. `; }

    print "Test done.";

    exit (0);
    , Mar 28, 2013
    #1
    1. Advertising

  2. Guest

    On Thursday, 28 March 2013 18:37:17 UTC-4, Ben Morrow wrote:
    > whole expression is considered tainted (to avoid having to make taint
    > checks for every operator) so the eval (in my case) is disallowed. See
    > https://rt.perl.org/rt3/Public/Bug/Display.html?id=17867 .
    > Ben


    Thanks, in case anyone from http://perldoc.perl.org/perlsec.html is reading, would be nice if that page explicitly had this particular example.
    I should show that if modifier maintains untainted-ness, while an if-statement is fine.
    That doc does mention that the phrase you mention above, but it also says that ternary operation ?: works differently: "Since code with a ternary conditional... is essentially an if-statement". From that, some people might make the incorrect jump that and if-modifier is also essentially an if-statement so that should be fine too! But it isn't...
    , Mar 30, 2013
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John W. Long

    tainted symbols?

    John W. Long, Feb 20, 2004, in forum: Ruby
    Replies:
    6
    Views:
    285
    Carlos
    Feb 22, 2004
  2. Hadmut Danisch
    Replies:
    0
    Views:
    117
    Hadmut Danisch
    Oct 27, 2005
  3. rr_79

    Disabling tainted feature in Perl

    rr_79, Jan 3, 2007, in forum: Perl Misc
    Replies:
    1
    Views:
    105
    Brian McCauley
    Jan 3, 2007
  4. Azol
    Replies:
    23
    Views:
    584
  5. PerlFAQ Server
    Replies:
    0
    Views:
    129
    PerlFAQ Server
    Jan 14, 2011
Loading...

Share This Page