taint

When I try the last example from perlfaq5: How-do-I-count-the-number-of-lines-in-a-file? I get an error-message. What should I do to get the script working? #!/usr/local/bin/perl -T use warnings; use 5.012; $ENV{PATH} = undef; my $filename = 'perl2.pl'; if( $filename =~ /^([0-9a-z_.]+)\z/ ) { my $lines = `/usr/bin/wc -l $1`; print $lines; } Output: Insecure $ENV{ENV} while running with -T switch at ./perl1.pl line 10. 2nd Edition of Answer The perldoc perlsec manual describes taint mode (there is also perldoc Taint for a module related to Taint mode). In part, it illustrates: $path = $ENV{

When do Ruby objects need to be made tainted and when should we untaint them? How does the concept of tainted object make a Ruby script run in safe mode? Can anyone elaborate on this to make the concept clear with some code snippets? What is Tainted? User input is tainted, by definition. For example: string = gets string.tainted? # => true You can also manually taint an object. string = 'Not yet tainted.' string.tainted? # => false (string = 'Explicitly taint me!').taint string.tainted? # => true Why Untaint an Object? Generally, you would untaint an object only after you validate and/or

perl -T Do you use it? Does it help you finding security holes in your Perl scripts? More than that :) it stops your security issues before they become one. It is not a security silver bullet of course... we used to use it (a few years back when I was involved in Perl projects) in any script that was exposed externally (i.e. any mod_perl app) and we found it very useful and made it our policy. It does a few checks and it is handy.. (anything makes things automated) Perl Security - perlsec recommends it strongly too: This flag [Taint mode] is strongly suggested for server programs and any