A mechanism in Perl that attempts to ensure that people can't take advantage of your script by supplying input that includes things like shell metacharacters. If a script took user input and blindly included it as part of a shell command, a devious user could supply input that would do any number of nasty things, such as rm -rf /, accessing or changing files it shouldn't, etc.

This protection is implemented by having every variable include an implicit attribute indicating whether that variable is tainted or not. Any variables obtained by any method of input become tainted, and Perl will not let you include these in system commands. Variables can only become untainted if you demonstrate to Perl that you've checked to see that the characters are legit by assigning a sub-expression of a regular expression match to it. The whole principle is summed up thusly: "You may not use data derived from outside your program to affect something else outside your program--at least, not by accident."

Taintedness is enabled by default if a script is running setuid, and can be enabled explicitly in other cases with the -T switch on the commandline

Log in or register to write something here or to contact authors.