At 11:23 PM 9/23/2001 -0500, Craig A. Berry wrote:
>Basically we're pre-loading a hash when you use "keys" or "values" on
>%ENV, and if I understand this right, hash elements are not
>full-blown scalars and thus do not have tainting bits. Getting an
>individual element from %ENV, on the other hand, never involves a
>real hash since we just call getenv() or moral equivalent and return
>a single (tainted) scalar value. The code where this is implemented
>in vms/vms.c is pretty twisty stuff and I don't quite have a good
>enough grasp of it yet to be sure this is right or know what to do
>about it.
I think the ultimate issue is that %ENV elements fetched from trusted
sources (Like the SYSTEM or CLUSTER mode logicals) are considered
untainted, while the process-level stuff is tainted. Seemed that way the
last time I dove through the twisty mazes, but I might've misread things.
Dan
--------------------------------------"it's like this"-------------------
Dan Sugalski even samurai
[EMAIL PROTECTED] have teddy bears and even
teddy bears get drunk
