how to untaint data?

[redsss]

I am trying to get one Tk perl script to send a message to the other like so:

Sending progam...

use Tk;
my $mw = MainWindow->new();
$mw->send('Foo' => $file_name);

Receiving program...

use Tk;

my $main_window = MainWindow->new(-title => 'My other prog');
$main_window->appname('Foo');

MainLoop;

sub Tk::Receive{
    shift;
    my $string = shift;

    if ($string =~ /pattern/){
       # Do somthing.    
    }
    else { die 'Wrong arg Received'}
}

The second program runs fine, but when running the first program, it says "Failed to AUTOLOAD 'MainWindow::send" (under windows) or "send to non-secure perl/Tk application rejected" (under linux).

I found this in the perl/tk FAQ:

the script that receives from a Tk::send must run with taint
checking turned on (i.e. with the -T switch thrown) and 
it must untaint all commands received from the other process.

Apparently this error has to do with me not untainting my data? I tried running the scripts with -T, but its still not working. I'm a newbie to this tainting concept.

Any idea of how to get around this problem?

 

[mlibeson]

Process all your variables one at a time using:

# Taken from an O'reilly book
sub is_tainted {
not eval {join('',@_), kill 0; 1;};
}

For those that are tainted you need to use a regex match on the value and reset the var ($var = $1. This will untaint the variable. Do not use $var =~ m/(.+)/; as this is insecure and if I read correctly, will not untaint your variable.

Good Luck.


Michael Libeson