Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: Re: Re: *Web Security

by ariels (Curate)
on Jun 23, 2002 at 11:31 UTC ( #176588=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Web Security
in thread Web Security

Well, not all Perl scripts/programs are run as CGI applications. Almost none of mine are. Where I work, almost all scripts are run from the command-line or some batch system, not from the Web. And I'll wager Perl still has more non-Web applications than Web applications. (No, I have no data to back this statement, except my distorted viewpoint. But I'm claiming Perl is general-purpose, while others claim it's special-purpose; I'd say the burden of proof is on Them.)

How's a poor perl6 interpreter to know if it should "autoenable taint" for all my programs? It cannot miraculously guess it's running as a CGI program, because that would force perl6 to know about one particular (if common) setup. Not only would that leave many holes, but these holes would also be more dangerous -- due to the illusion of security generated.

Should perl6 run in taint mode for all programs, except if explicitly disabled? This would mean Perl becomes a language which doesn't trust any input. It means I have to flag a whole class of scripts with "no, it's not a CGI script". This is wholly unlike warnings and strict: whereas use warnings and use strict are universally good ideas (except for a few places where they're not so hot), taint is useful only for programs with input that is less trusted than their execute permission bits.

I don't want to have to begin every Perl6 program of mine with

#!/usr/local/bin/perl6 no taint; # Don't pretend I don't know how # to run a program no CGI; # Don't parse CGI parameters no Application::Web; # Don't overload open to open URLs no GUI::Tk; # Don't do "new Tk::MainWindow" no GUI::Any; # Don't wrap my script in an event # loop. no DBI; # Don't automatically connect to # a database no Pod::Any; # Don't print a blank line before # and after every line beginning "=" no HTML; # Don't switch regexp syntax no Net; # Don't set $|=1 #use strict; # Unneeded in Perl6! Yippee! #use warnings; # - ditto -
Each of these hypothetical defaults I switch off would make excellent sense... for a particular family of applications.

I want a general-purpose programming language. Perl's taint mechanism is an intriguing addition to the datatype mechanism. But it's certainly not always needed.


Comment on Re: Re: Re: *Web Security
Select or Download Code
Re: Re: Re: Re: *Web Security
by Trimbach (Curate) on Jun 23, 2002 at 19:44 UTC
    Your point is well taken and I agree whole-heartedly. However, wouldn't it be nice if you could turn on taint mode when you turn on a certain package? In other words, what if use CGI; could be modified to always turn on Taint at the same time? There might be other modules that could benefit from this, too.

    Gary Blackburn
    Trained Killer

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://176588]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (15)
As of 2014-07-30 09:26 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (230 votes), past polls