-T option in perl

What is 开发者_开发百科the -T flag in Perl used for?

It enables "taint mode," a dataflow analysis that prevents potentially unsafe operations using untrusted inputs.

For example, it might seem reasonable to store a new user's details with

open my $fh, ">", "/var/myservice/$username"
  or die "...";
print $fh ...;

To illustrate how this is useful, what if a malicious user gives a username of ../../../etc/passwd and your service runs as root?

Taint mode won't allow the code above to run if the value of $username came from the command line or as a CGI form parameter.

The perlsec documentation shows how to "untaint" untrusted inputs to be sure they're safe.

-T  | Forces "taint" checks to be turned on so you can test them.

http://www.computerhope.com/unix/uperl.htm

See also Is Perl's taint mode useful? and CGI/Perl Taint Mode FAQ.

Thanks, Google!

If taint mode is on, you have to untaint data with a function, such as applying a regular expression to remove unsafe characters.