FWIW, I use the following code when I need to use ``|qx:
local $ENV{PATH} = "/bin:/usr/bin"; local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
But this code must be used in each scope where you intend to use backticks, a system call Etc. Is there no way to untaint your
PATH environment one time for the script or handler?
If you write code used by other people this is probably the only way to go. This is because you want to control the setting. What if PATH gets untainted at the server startup, but then some other module sets a new tainted value to $ENV{PATH}? So it's a good habit to have it local to the code that you run.
Besides helps to avoid forking external processes. If you can rewrite your code:
foreach(`/bin/ls $path`) {
<do something>
}(which is probably not the real code), not to `` but to read the file in, and process it, you eliminate the whole problem altogether. I realize that this is not always possible.
How about abstracting untaint and `` into a single function:
sub backticks {
local $ENV{PATH} = "/bin:/usr/bin";
local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
qx(@_);
}__________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
