Programming/Scripting Resource
John Macdonald
john-Z7w/En0MP3xWk0Htik3J/w at public.gmane.org
Thu Jan 11 19:39:20 UTC 2007
On Thu, Jan 11, 2007 at 12:49:49PM -0500, Alex Beamish wrote:
> And the reason taint mode isn't the default setting is because generating
> web pages is only one of the things that Perl is great for. ;) Running an
> installation procedure (as one of my Perl scripts does) doesn't need any
> taint checking, because all input is coming from a known user via
> interactive prompts.
More than just "a known user" but the same user that the
script is running as, so anything that the script does based
on the provided input is only things that the user would be
permitted to do in other ways. That's why triggering taint
mode whenever running setuid is a good thing, and leaving it up
to the person running (or writing) the script to force taint
mode when it will be used in a situation where the input is
coming from some untrustable source is acceptable.
--
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list