more problems with taint check: In the blue camel book (page 358) there is a function to see if a variable is tainted: sub is_tainted { not eval { join("",@_), kill 0; 1; } } this returns true all the time, I think because kill is not implemented like on UNIX, and returns false. the book states it "...make use of the obscure fact that kill function tests for taintedness, even when no process ID are supplied..." I think obscure facts should not be used for programming, especially if we are talking about security. There should be another way to check if a variable is tainted. Maybe this should solved in the orginal perl. I would also like to have such a function in the debugger. Sidebar: the debugger is also not working with taint checks on, because of the @INC path. UNIX and MacOS are different, so UNIX security flaw may not be present in the MacOS. But I see the following problem: If I'm on an appletalk network, and I have a public visible folder, someone can upload a MacPerl executable together with a special modified version of a Module like cgi.pm. If I now open my script with doubleclicking, the new version of MacPerl may start, because the Finder starts the newest version of anything, and uses the bad module. On UNIX, Perls taintchecks checks if the PATH directorys are only writeable to the owners and owners group. Maybe on the Mac, taint check should check if the MacPerl Preferences and MacPerl itself and the pathes from @INC are only writeable to the owner and the group, and should set $ENV{MACPERL} and @INC as untainted. Does anybody know any resources about security on the Mac? I have just do some research about security, but most resources are about UNIX and some about Windows and Windows NT. regards Kasrten Meier --------------------------------------------------------------------- Karsten Meier EMail krstnmr@ibm.net WWW: http://www.meier-online.com with following highlights: * German MacPerl Primer * XTensions for use with QuarkXPress Unsolicited and/or commercial email is not permitted at this address. ***** Want to unsubscribe from this list? ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch