On Wed, Apr 17, 2002 at 04:16:08PM -0700, Rick Klement wrote: > Notice that the regex match (which should have been /\[([A-Z]+)\]/ ) > effectively untaints and closes the security hole by disallowing > anything through that is not [A-Z]+
This is still too lenient, you've just narrowed the possible holes. It's not too hard to see Joe Maintenance Programmer coming along later and adding in flags that match \w+ instead of [A-Z]+ without fully considering the implications. All to avoid writing a hash? Just because the safety is on doesn't mean you should juggle handguns. Never know whose foot it'll blow off. -- Michael G. Schwern <[EMAIL PROTECTED]> http://www.pobox.com/~schwern/ Perl Quality Assurance <[EMAIL PROTECTED]> Kwalitee Is Job One There's a Balrog in the woodpile.
