@files = <*.c>; # insecure (uses readdir() or similar)
@files = glob('*.c'); # insecure (uses readdir() or similar)
- # In Perl releases older than 5.6.0 the <*.c> and glob('*.c') would
- # have used an external program to do the filename expansion; but in
- # either case the result is tainted since the list of filenames comes
- # from outside of the program.
+ # In either case, the results of glob are tainted, since the list of
+ # filenames comes from outside of the program.
$bad = ($arg, 23); # $bad will be tainted
$arg, `true`; # Insecure (although it isn't really)
Or you may be able to use the following C<is_tainted()> function.
sub is_tainted {
+ local $@; # Don't pollute caller's value.
return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
}
This is quite different, however, from not even trusting the writer of the
code not to try to do something evil. That's the kind of trust needed
when someone hands you a program you've never seen before and says, "Here,
-run this." For that kind of safety, check out the Safe module,
-included standard in the Perl distribution. This module allows the
+run this." For that kind of safety, you might want to check out the Safe
+module, included standard in the Perl distribution. This module allows the
programmer to set up special compartments in which all system operations
-are trapped and namespace access is carefully controlled.
+are trapped and namespace access is carefully controlled. Safe should
+not be considered bullet-proof, though: it will not prevent the foreign
+code to set up infinite loops, allocate gigabytes of memory, or even
+abusing perl bugs to make the host interpreter crash or behave in
+unpredictable ways. In any case it's better avoided completely if you're
+really concerned about security.
=head2 Security Bugs
https://perl5.git.perl.org / perl5.git / blobdiff