[index] [text page] [<<start] [<prev] [next>] [last>>]
Page 42: Taint mode (cont)
Page 42

  
  Taint mode (cont)
  Use regexps to untaint data
     $text = param('email');
     if ( $text = / ^ ( [^@]+ @ [-a-z0-9.]+ ) $ /ix )  {
        $email_addr = $1;
     } else {
        bail "Email address isn't in even vaguely valid format"
     }
     # $email_addr now untainted
     # $text still tainted
     open SENDMAIL, "|/usr/bin/sendmail -t" or bail "sendmail";
     print SENDMAIL <<EOM;
     To: $email_addr
     Subject: whatever
     ...

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at SPUG, 2003.

Presentation created using vim and MagicPoint.