On Wed, Apr 17, 2002 at 04:38:50PM -0500, Steven Lembark wrote:
> >A recent Phrack article pointed out that one of the SOAP/RPC/XML
> >modules was doing this:
> >
> > $soap->$tainted_method_name(@args);
>
> Use -T and untaint by extracting the subname:
>
> my $flag = "::$input" =~ /\w+$/;
my($flag) = $input =~ /(\w+)$/;
> my $sub = $jumpz{$flag};
Well, the untainting here is useless since:
1) hash lookups don't taint check
2) the jump table itself effectively acts as a taint filter. The
user can't call anything you don't explicitly place in the
jump table.
> or simply:
>
> croak "$$: Bogus sub call: $blah" if $blah =~ /\w+::\w+/;
$blah = '_your_private_method_im_not_supposed_to_call';
The jump table is safest and least clever. [1]
[1] That's the Chinese clever, like interesting.
--
Michael G. Schwern <[EMAIL PROTECTED]> http://www.pobox.com/~schwern/
Perl Quality Assurance <[EMAIL PROTECTED]> Kwalitee Is Job One
But I wore the juice!
