[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Taint Talk



On Mon, 29 Dec 1997, Chris Nandor wrote:

>Basically, as per a previous request, MacPerl automatically adds
>":site_perl" to @INC (where it is relative to the MacPerl app).  However,
>Matthias adds it in such a way that it is "hardcoded", so that it is still
>in @INC when taint checking is on.
>
>My question is this: does anyone see a problem with adding :lib (and
>:lib:arch, wher arch is MacPPC or MacCFM68K (or Mac68K?)) in the same
>hard-coded fashion?  This would basically make it like Unix perl.
>Problems?  Either in security or otherwise?

Yes I have a problem with this. 

":lib" is relative to the current directory, NOT the MacPerl app path. 

I think  that whenever a droplet is used, the current directory is (by
default) the directory of the script. So ":lib" is searched there.

Second, anybody can change directories inside a script, even in a BEGIN
block). So basically you can include any directory you like, as long as
it's name matches one of the default relative directories in @INC. As
far as taint checking is concerned, this sucks.

BTW why does taint checking makes a fuss about what is in @INC? Unless
each directory in @INC by default is write protected, this won't be any
guarantee. It is (or at least, can be) on Unix, for user "nobody", the
CGI/browser clients.

	Bart.

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch