Kevin Meltzer


Untaint - Module for laundering tainted data.


        use Untaint;

        my $pattern = qr(^k\w+);

        my $foo = $ARGV[0];

        # Untaint a scalar
        if (is_tainted($foo)) {
                print "\$foo is tainted. Attempting to launder\n";
                $foo = untaint($pattern, $foo);
                print "\$foo is not tainted!!\n";

        # Untaint an array 
        my @foo = @ARGV;

        push @foo, "not tainted";

        if (is_tainted(@foo)) {
                print "\@foo is tainted. Attempting to launder\n";
                my @new = untaint($pattern, @foo);
                print "\@foo is not tainted!!\n";

        # Another way for an list
        ($a, $b, $c) = untaint(qr(^\d+$), ($a, $b , $c));

        # Untaint a hash
        my $test = {'name' => $ARGV[0],
                    'age' => $ARGV[1],
                    'gender' => $ARGV[2],
                    'time' => 'late'

        my $patterns = {'name' => qr(^k\w+),
                        'age' => qr(^\d+),
                        'gender' => qr(^\w$)


        my %new = untaint_hash($patterns, %{$test});


This module is used to launder data which has been tainted by using the -T switch to be in taint mode. This can be used for CGI scripts as well as command line scripts.

The module will untaint scalars, arrays, and hashes. When laundering an array, only array elements which are tainted will be laundered.


is_tainted(<scalar or array>);

You can use this to check the taintedness of data if you wish, but it is also used internally by to do this when untaint() is called. This method returns 1 if tainted, 0 if not. This is actually a pass-through to's is_tainted method, since that already accomplishes this task.

newvar = untaint(<pattern>, <scalar or array/list>);

This method will launder the data (if it can) and return the newly laundered variable. It should be passed either a scalar, or an array reference. This will return either an array, or a scalar depending on which you want returned. The pattern should be a regular expression pattern to match the data against.

If this method can not launder a variable, it will croak().

untaint_hash(<hashref of patterns>, hash)

When laundering a hash, a hash of patterns can be passed. This allows you to define a different pattern for each element of the hash. If there is no pattern for an element in the hash, the value itself will be used as the pattern (therefore untainting itself). This behavior isn't really safe, so you need to specify that you want to do this by setting a special variable to a true value like this:


That scalar is exported so you need to specifically say it is ok to do this.

If this is not done, any key/value pair which does not have a pattern will not be laundered and the returned hash will only contain the key/value pairs which had a corresponding pattern.

It appears that whenever there is one value in a hash that is tainted, ALL values in that hash are tainted. This is a bug in Perl versions which are pre-5.6. This is somewhat of a quagmire since key/value pairs you actually set are now tainted, and need laundering. That's all well and good, but now there is the chance that when you pass the hash ref, you pass something without a pattern unknowingly, and data you don't want untainted is then laundered. Another current bug is that all hash keys are not considered tainted. So, be wary of using hash keys which come from unknown sources in Bad ways. But, if you are trying to use a hash key which you do not know where it's name is from in a dangerous manner, there may be other problems!


This variable must be set to a true value of you wish to allow hash values to be untainted based on their own value as a pattern. In other words, the pattern that will be matched to untaint it, will be itself, hence always being untainted. USE THIS WITH CAUTION.


perl Makefile.PL make make test make install make clean

Look at the test scripts to see how this can be implemented.


None known at this time. PATCHES WELCOME.


Copyright (c) 2000 Kevin Meltzer. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.


Kevin Meltzer, <>


Tom Phoenix, <>


perlsec, perlrun

2 POD Errors

The following errors were encountered while parsing the POD:

Around line 135:

'=item' outside of any '=over'

Around line 186:

You forgot a '=back' before '=head1'