Clint, you are a steely-eyed, missle man! In fact, I had taken the statement '$fp =~ /(.+)/' directly from another page as a posted solution to this problem without even looking at it. After your email, I felt like an idiot as it was obvious that all this statement would do was set $& and $1.
The is_tainted() subroutine from the camel book is clearly crap as I ran $fp through there and it returned false. I was surprised when your solution worked because I did not think $fp was tainted to begin with although I had checked through is_tainted(). It was not created from an environment variable or command line argument and did not originate through piped or file input. Following your email, however, I realized $fp was tainted bacause it came from a field value in a posted form. Anyway, that solved my problem. Just goes to show--always test the solution someone posts even if you don't believe it will work. Kudos, brother. Steve Clinton Gormley wrote: > >> $fp =~ /(.*)/; > > > This doesn't untaint $fp. > > instead, you could do this: > > ( $fp )=( $fp =~ /(.*)/ ); > > To untaint a variable using this method, you need to assign the result > of a regex capture to the variable, not just do a regex check > > Clint > > > -- View this message in context: http://www.nabble.com/Insecure-dependency-in-unlink-while-running-with--T-switch-tf4045039.html#a11490823 Sent from the mod_perl - General mailing list archive at Nabble.com.
