Menu
how do I set the taint mode in a perl script with a
#!/usr/bin/env perl
shebang?
745
Taint mode is used to keep track of the data coming from the user and avoids doing anything insecure with it. When it is enabled, every variable is monitored by Perl to check whether it is tainted or not. Tainted data is any data that comes from outside the code.
Overview. The concept behind taint checking is that any variable that can be modified by an outside user (for example a variable set by a field in a web form) poses a potential security risk. If that variable is used in an expression that sets a second variable, that second variable is now also suspicious.
DESCRIPTION. Perl is designed to make it easy to program securely even when running with extra privileges, like setuid or setgid programs. Unlike most command line shells, which are based on multiple substitution passes on each line of the script, Perl uses a more conventional evaluation scheme with fewer hidden snags.
You can pass the PERL5OPT environment variable on the shebang line:
#!/usr/bin/env PERL5OPT=-T perl
This seems all rather backwards to me.
Another option, is to re-execute the script under taint mode if you detect it's not on:
#!/usr/bin/env perl
warn 'Taint mode is '.(${^TAINT} ? 'on' : 'off'); # For debugging
exec($^X,'-T',$0,@ARGV) unless ${^TAINT};
# do stuff under taint mode here
Obviously, this is a major startup performance hit.
195
Since taint mode can only be enabled via the -T flag, and env won't accept any flags in a shebang line, your best option is to run the program via perl -T script.pl rather than executing the script directly.
If you absolutely need to enforce taint mode in the shebang, you could make a taintperl script somewhere in your PATH (e.g. /usr/local/bin) with the following contents:
#!/bin/sh
/usr/bin/env perl -T
Then in your Perl script, have
#!/usr/bin/env taintperl
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
