regexperlperl-moduletaint

Perl Untaint Variable By Passing Through Perl Module Subroutine


When untainting variables in Perl does all the untainting have to be done locally to the Perl (.pl) file or can it be passed through a Perl Module (.pm) to untaint?

For example, untainting may look something like this:

$string =~ /\A(.*)\z/s

(obviously it is a bad practice to blanket match-anything an input, this is just showing an example)

I'm wondering is it possible to pass it through a .pm since I want to execute against the same regex expression in multiple .pl files.

use myModule;

$string = myModule::myUntaint($string);

Where "myUntaint" is a subroutine within the .pm "myModule" that contains my regex.


Solution

  • Yes, you can have a subroutine in a module that takes a tainted parameter and returns an untainted expression derived from it.

    But you shouldn't be using a generic match-anything expression like /\A(.*)\z/s for untainting. That defeats the purpose of tainting, which is to ensure that the value looks like what you were expecting before you use it. (But that has nothing to do with where the code that does the untainting lives.)