On Thu, Dec 13, 2001 at 03:28:32PM -0500, Dan Sugalski wrote: > Perhaps the argument ought not be whether taint-mode is locally > disable-able (and if enabled via the suid check it ought *not* be) but > rather if there ought be a way to enable taint checking as a warning > instead of a fatal error. Still not something I'd deploy in production, but > it would make testing easier.
Ooooh, good idea! And easy to implement, too. That would make me happy. Should be just a matter of adding a PL_taint_warn flag triggered by -t or something and making taint_proper() look for it. Something like: if (PL_tainted) { if (!f) f = PL_no_security; if (PL_euid != PL_uid) ug = " while running setuid"; else if (PL_egid != PL_gid) ug = " while running setgid"; else ug = " while running with -T switch"; if (!PL_unsafe) { if( PL_taint_warn && ckWARN(WARN_TAINT) ) Perl_warner(aTHX_ WARN_TAINT, f, s, ug); else Perl_croak(aTHX_ f, s, ug); } } PS What's that WARN_TAINT thing already in taint_proper? I can't seem to trigger it. if (!PL_unsafe) Perl_croak(aTHX_ f, s, ug); else if (ckWARN(WARN_TAINT)) Perl_warner(aTHX_ WARN_TAINT, f, s, ug); -- Michael G. Schwern <[EMAIL PROTECTED]> http://www.pobox.com/~schwern/ Perl Quality Assurance <[EMAIL PROTECTED]> Kwalitee Is Job One Obscenity is the last resort of the illiterate, Mother Fucker -- KAL