Front page | perl.perl5.porters |
Postings from January 2008
Steve Hay wrote:
> Run the following program under perl 5.10.0 on Windows XP:
>
> #!perl -wT
> use strict;
> use warnings;
> BEGIN { $ENV{TMPDIR} = "$ENV{WINDIR}\\TEMP" };
> use CGI;
> my $tmpfile = new CGITempFile(1);
> print "tmpfile='", $tmpfile->as_string(), "'\n";
>
> This causes the error:
>
> Insecure dependency in sprintf while running with -T switch at (eval 2)
> line 6.
[...]
> "When perl is run under taint mode, printf() and sprintf() will now
> reject any tainted format argument."
[...]
> last if ! -f ($filename =
> sprintf("${TMPDIRECTORY}${SL}CGItemp%d",$sequence++));
>
> Obviously there are various ways around this (it's currently causing me
> trouble with a Bugzilla system running on 5.10.0, and I've worked around
> the problem by just commenting-out the unshift() line above so that the
> tainted value is not a candidate), but I'm not sure what a good
> permanent fix would be.
it seems to me that this would have to be fixed in CGITempFile because
the error is probably genuine.
How about changing the sprintf call to this (untested, but well...):
sprintf("\%s${SL}CGItemp%d", $TMPDIRECTORY, $sequence++)
The warning is about tainted stuff in the _format_, so this should fix
the issue.
Cheers,
Steffen
Thread Previous
|
Thread Next