3

What is the -T flag in Perl used for?

John Kugelman
  • 349,597
  • 67
  • 533
  • 578
Jim
  • 51
  • 3

3 Answers3

10

It enables "taint mode," a dataflow analysis that prevents potentially unsafe operations using untrusted inputs.

For example, it might seem reasonable to store a new user's details with

open my $fh, ">", "/var/myservice/$username"
  or die "...";
print $fh ...;

To illustrate how this is useful, what if a malicious user gives a username of ../../../etc/passwd and your service runs as root?

Taint mode won't allow the code above to run if the value of $username came from the command line or as a CGI form parameter.

The perlsec documentation shows how to "untaint" untrusted inputs to be sure they're safe.

daxim
  • 39,270
  • 4
  • 65
  • 132
Greg Bacon
  • 134,834
  • 32
  • 188
  • 245
1
-T  | Forces "taint" checks to be turned on so you can test them.

http://www.computerhope.com/unix/uperl.htm

See also Is Perl's taint mode useful? and CGI/Perl Taint Mode FAQ.

Thanks, Google!

Community
  • 1
  • 1
Matt Ball
  • 354,903
  • 100
  • 647
  • 710
0

If taint mode is on, you have to untaint data with a function, such as applying a regular expression to remove unsafe characters.

Eric Truett
  • 2,970
  • 1
  • 16
  • 21