On Thu, Dec 13, 2001 at 03:28:32PM -0500, Dan Sugalski wrote:
> Perhaps the argument ought not be whether taint-mode is locally
> disable-able (and if enabled via the suid check it ought *not* be) but
> rather if there ought be a way to enable taint checking as a warning
> instead of a fatal error. Still not something I'd deploy in production, but
> it would make testing easier.
Ooooh, good idea! And easy to implement, too. That would make me
happy.
Should be just a matter of adding a PL_taint_warn flag triggered by -t
or something and making taint_proper() look for it. Something like:
if (PL_tainted) {
if (!f)
f = PL_no_security;
if (PL_euid != PL_uid)
ug = " while running setuid";
else if (PL_egid != PL_gid)
ug = " while running setgid";
else
ug = " while running with -T switch";
if (!PL_unsafe) {
if( PL_taint_warn && ckWARN(WARN_TAINT) )
Perl_warner(aTHX_ WARN_TAINT, f, s, ug);
else
Perl_croak(aTHX_ f, s, ug);
}
}
PS What's that WARN_TAINT thing already in taint_proper? I can't seem
to trigger it.
if (!PL_unsafe)
Perl_croak(aTHX_ f, s, ug);
else if (ckWARN(WARN_TAINT))
Perl_warner(aTHX_ WARN_TAINT, f, s, ug);
--
Michael G. Schwern <[EMAIL PROTECTED]> http://www.pobox.com/~schwern/
Perl Quality Assurance <[EMAIL PROTECTED]> Kwalitee Is Job One
Obscenity is the last resort of the illiterate, Mother Fucker
-- KAL
