Hi there,
On Wed, 8 Oct 2003, James Tolley wrote:
> Date::Manip is used from a module that's used from a handler. Perl dies
> when I try to ParseDate or Unixdate a date - saying that $ENV{PATH} is
> insecure.
>
> I've tried to set $ENV{PATH} = '...' in a BEGIN block, and I've tried
> setting it from PerlSetEnv PATH ...
>
> How can I untaint $ENV{PATH}??
You have to do it in those (appropriate) places where the data appear,
in every request. Use a substitution command to convert characters
from user input which might become dangerous if your scripts can use
them as input to things like system calls.
See for example:
Perl documentation in 'perldoc perlsec',
Chapter 15 of the mod_perl Developer's Cookbook,
and http://www.gunther.web66.com/FAQS/taintmode.html
73,
Ged.
