display | more...

One of the Perl file test operators, -T tells you if a file is a text file. A text file in this context means that when some of the file is read, it seems like text to Perl.

Aside from being one of Perl's X-File tests, -T is also a command line switch for taint mode.

Here are two ways to turn on taint mode:
[user@host user]$ perl -T myscript.pl -- use the -T switch at command line execution
#!/usr/bin/perl -T -- add it to the first line of your script

While running in taint mode, Perl will check for tainted data. If it is found, you are likely to recieve an error message:
Insecure $ENV{PATH} while running with -T switch at script line 4.

Data is said to be tainted if it is coming in from any external source such as an opened file, an $ENV variable or a command line argument. CGI programmers are encouraged to use taint mode in all of their CGI scripts as a security precaution. Any setuid scripts should also be taint checked.

To un-taint tainted data, you can use a simple regular expression such as the following:
$var =~/^([\w.-]+)/; (from The Perl Cookbook)
$var = $1;

The problem with using taint mode is that code like the above may be needed throughout your program. This means extra overhead. For this reason, it is generally not a good idea to use taint mode if it is not needed. That is, if your program is not a CGI, setuid, or setgid script.

Log in or register to write something here or to contact authors.