Stuff Taint Doesn't Catch

Be careful! Even when you've turned on taint checking, you can still write an insecure program. Remember that taint only gets looked at when you try to modify the system, by opening a file or running a program. Reading from a file will not trigger taintedness! A very common breed of security hole exploits code that doesn't look very different from this small program:
#!/usr/local/bin/perl -Tw use CGI ':standard'; $file = param('filename'); unless ($file) { $file = 'file.txt'; } open (FILE, "</etc/webstuff/storage/" . $file) or die "$!"; print header(); while ($line = <FILE>) { print $line; } close FILE;

Just imagine the joy when the ``filename'' parameter contains ../../../../../../etc/passwd. (If you don't see the problem: On a Unix system, the /etc/passwd file contains a list of all the usernames on the system, and may also contain an encrypted list of their passwords. This is great information for crackers who want to get into a machine for further mischief.) Since you are only reading the file, Perl's taint checking doesn't kick in. Similarly, print doesn't trigger taint checking, so you'll have to write your own value-checking code when you write any user input to a file! Taint is a good first step in security, but it's not the last.