Jeff 'japhy' Pinyan wrote:
On Aug 2, Tom Allison said:
So.... I'm trying to get beyond this tainting stuff....
I tried $username =~ s/[EMAIL PROTECTED]//g;
but that doesn't seem to do it.
Detainting via a regex requires you use text that matched; what this
means is you must use a capture variable. In your case, you can do your
removal of invalid characters and then use (.*) to untaint:
$username =~ s/[EMAIL PROTECTED]//g; # remove unwanted characters
($username) = $username =~ /(.*)/s; # match everything and store
I did get this far, but I ran into another set of questions...
I take a pair of vars ($username/$password) in from the POST and can
untaint that using the regex method described ( $username =~ /(\w+)/ )
and that seems to work well enough.
But later on I store the $username/$password into a Cache::FileCache
object using a $key. I don't think that has any problems either.
The $key is later used from the Cookie to reacquire the
$username/$password for authenication from the Cache::FileCache object.
How many of the following do I have to do:
untaint the $key after it's pulled from the Apache Cookie.
untaint the $username/$password from the login form (DONE).
untaint the $username/$password from the Cache::FileCache object.
Because these variables are passed through a number of objects and
methods where is the best point to untaint the variables?
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
