I work on a website based on Perl CGI. It's run with Perl -T (Taint mode). I noticed that a text input contains just a plus sign and nothing else ("+") causes CGI::param() to give this error:
Insecure dependency in require while running with -T switch at ....../CGI.pm line 533. BEGIN failed--compilation aborted.
This does not apply to other single signs, or a plus sign with leading or trailing blanks ("-", " + ", "?").
Although users usually won't enter a single plus sign as input, I would like to have a workaround here so that my script will reject the input nicely, instead of printing an ugly "Software Error" in the browser.
REQUEST_METHOD=GET QUERY_STRING='page=%2B' perl -s -T -E'
use strict;
use CGI qw( :standard );
CGI->new();
my $page;
eval { $page = param("page"); };
print "[ $@ ]\n";
'
This prints a compilation error:
[ Insecure dependency in require while running with -T switch at ../..../CGI.pm line xxx. BEGIN failed--compilation aborted. ]
If I skip CGI->new() there will be no error. But this is not an option according to our requirements.
I hope this is more clear. Thanks all for being helpful!
YJ
%2Bin taint mode when I calledparamwithout complaint. – Quentin%2Bin the URL. It is what you get when you submit a form with a field containing a+. – Quentin