Tainting traps
I ran into some trouble when combining tainting with the Encode module. Recently, I've been using the Encode module to decode from binary to text as soon as possible and encode back to binary as late as possible. Unfortunately, this completely kills the protection that -T grants, presumably b/c the Encode module uses a regular expression to do it's work.
#! /usr/bin/perl -Tuse strict;
use warnings;
use Encode();$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};my ($home) = Encode::encode('UTF-8', $ENV{'HOME'});
system("echo $home");
This can be beaten by wrapping calls to the Encode module (and others such as Getopt::Long with calls to the Taint module to make sure that if a variable is tainted before it goes through the Encode module, it stays tainted after it comes out of the Encode module.
However, for me, an unexpected result of combining two great parts of Perl
I'm based out of Melbourne, Australia. I attend the excellent melbourne.pm.org meetings whenever i get the chance, which is not often enough. 
Leave a comment