Home/ Questions/Q 7004267
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T21:10:37+00:00

upto my knowledge once a variable is tainted, Perl won’t allow to use it

  • 0

upto my knowledge once a variable is tainted, Perl won’t allow to use it in a system(), exec(), piped open, eval(), backtick command, or any function that affects something outside the program (such as unlink). So whats the process to untaint it?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use a regular expression on the tainted variable to pull out the “safe” values:

    Sometimes you have just to clear your data’s taintedness. Values may be untainted by using them as keys in a hash; otherwise the only way to bypass the tainting mechanism is by referencing subpatterns from a regular expression match. Perl presumes that if you reference a substring using $1, $2, etc., that you knew what you were doing when you wrote the pattern.

    Don’t ignore this warning though:

    That means using a bit of thought–don’t just blindly untaint anything, or you defeat the entire mechanism. It’s better to verify that the variable has only good characters (for certain values of “good”) rather than checking whether it has any bad characters. That’s because it’s far too easy to miss bad characters that you never thought of.

    Perlsec: Laundering and Detecting Tainted Data

    • 0