Security aware programming(5)

• tainted values cannot be used directly for:
  • commands invoked via a shell
  • commands modifying files, directories, processes
• example (first without taint checks):

• #!/usr/bin/perl

• $v = shift;

• system("echo $v"); # print `echo $v`

• $ ./nottaint.pl ';id'

• uid=100(devet) gid=0(wheel) groups=0(wheel)