"if" as modifier causes incorrect tainted messages?

Discussion in 'Perl Misc' started by bwooster47, Mar 28, 2013.

  1. bwooster47

    bwooster47 Guest

    I've searched for this issue but did not find any documents or discussions - does anyone know if this is expected, and if so, why?

    In a CGI script running with -Tw, a "statement if something" causes script abort with message about insecure dependency while the same thing unrolled in an "if something {statement}" works fine.

    Here's the entire runnable cgi script:

    use strict;
    use warnings;
    use CGI;
    use CGI::Carp qw(fatalsToBrowser);
    $ENV{PATH} = '';

    my $query = new CGI;
    my $input_boolean = $query->param('boolean');
    print $query->header();

    print "Test started. ";

    print `/bin/echo TRUE. ` if ($input_boolean);
    # Insecure dependency in `` while running with -T switch at /usr/lib/cgi-bin/cgi-test.pl line 14.

    # But this line below is fine:
    if ($input_boolean) { print `/bin/echo TRUE. `; }

    print "Test done.";

    exit (0);
    bwooster47, Mar 28, 2013
    1. Advertisements

  2. bwooster47

    bwooster47 Guest

    Thanks, in case anyone from http://perldoc.perl.org/perlsec.html is reading, would be nice if that page explicitly had this particular example.
    I should show that if modifier maintains untainted-ness, while an if-statement is fine.
    That doc does mention that the phrase you mention above, but it also says that ternary operation ?: works differently: "Since code with a ternary conditional... is essentially an if-statement". From that, some people might make the incorrect jump that and if-modifier is also essentially an if-statement so that should be fine too! But it isn't...
    bwooster47, Mar 30, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.