On Mon, 11 Apr 2005, John Peacock wrote:
and return an untainted value directly. It would lead to much more compact and yet still readable code like this:
$ldhost = $self->qp->config('ldap_host', qr/^(([a-z0-9]+\.?)+)$/)$ldport = $self->qp->config('ldap_port', qr/^(\d+)$/)"localhost";389;
or if you were stupid^Wtrusting:
$ldhost = $self->qp->config('ldap_host') || "localhost"; $ldport = $self->qp->config('ldap_port') || 389;
Thoughts?
I don't think it's particularly stupid to trust your config file. If a cracker can take control of your config file, you have worse problems than lack of validation of the config file. To put it another way, "unusual values" pulled from (likely root owned) config files are not a very likely avenue of attack.
Sticking in a regexp for every config item might get more tedious than it is worth.
--- Charlie
