perl cgi::param error with single plus sign in Taint mode

Question

I work on a website based on Perl CGI. It's run with Perl -T (Taint mode). I noticed that a text input contains just a plus sign and nothing else ("+") causes CGI::param() to give this error:

Insecure dependency in require while running with -T switch at ....../CGI.pm line 533. BEGIN failed--compilation aborted.

This does not apply to other single signs, or a plus sign with leading or trailing blanks ("-", " + ", "?").

Although users usually won't enter a single plus sign as input, I would like to have a workaround here so that my script will reject the input nicely, instead of printing an ugly "Software Error" in the browser.

REQUEST_METHOD=GET QUERY_STRING='page=%2B' perl -s -T -E'
use strict;
use CGI qw( :standard  );
CGI->new();
my $page;
eval { $page = param("page"); };
print "[ $@ ]\n";

'

This prints a compilation error:

[ Insecure dependency in require while running with -T switch at ../..../CGI.pm line xxx. BEGIN failed--compilation aborted. ]

If I skip CGI->new() there will be no error. But this is not an option according to our requirements.

I hope this is more clear. Thanks all for being helpful!

YJ

Answer 1

If you create a CGI object, use it.

my $cgi = CGI->new();
my $page = $cgi->param("page");

or

param("page");

but don't mix and match.