bart.mediamind@tornado.be (Bart Lateur) writes: }Excuse my ignorance, but what IS taint checking? } }I thought that, on a Unix box, this applied mostly to preventing }dangerous thing to happen, especially relating to calling externam }programs (sommand lines), but what does it mean on a Mac? Perl itself is so powerful (think about "unlink", for example) that the "command line" and external programs are the least of your worries. I haven't used tainting that much myself, but my understanding is that every piece of data that comes from outside the Perl script is "tainted". Anything that's computed from tainted data is also tainted. Perl will refuse to do a large number of operations with tainted data, mostly, but as I understand it not exclusively, involving doing things to the local file system. There are ways of untainting data, but deliberately it's not simple. Mac users tend to be complacent about security because they so often hear that "Macs are uncrackable", and it's true enough that MacOS won't fall to the classic Unix attacks. But anyone complacent enough to run a Perl CGI without taitning on may find out the hard way about other possible ways to be compromised. For example, suppose you're foolish enough to eval arbitarary Perl from a Web form, expecting the user to put in something innocuous like "print "Hello, world\n"", you might instead find "use File::Find;find(sub{unlink $File::Find::name},":");" instead (which will at least solve your security problem). More subtle attacks are also possible; remember that Perl is quite capable of opening a socket and writing data back to remote sites. } } Bart Lateur } bart.mediamind@tornado.be } --- Paul J. Schinder NASA Goddard Space Flight Center Code 693, Greenbelt, MD 20771 schinder@pjstoaster.pg.md.us ***** Want to unsubscribe from this list? ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch