This is very close to what
pjf and I were talking about. If we were to talk some sort of implementation from the programmer side of things you might do something like this:
#!/usr/bin/perl -wTR
use strict;
use CGI;
use DBI;
restrict DBPassword, DB;
my DBPassword $passwd = "abcdef";
my DB $dbh = DBI->connect("DBI:mysql:something",
"someone", $passwd); # ALLOWED
my $cgi = new CGI;
print $cgi->header();
print $passwd; # NOT ALLOWED, program terminates
print STDERR $passwd; # NOT ALLOWED, program terminates
open(FILE, "> somefile") or die "Failed to open: $!";
print FILE $passwd; # NOT ALLOWED, program terminates
restrict CreditCard, CreditCardGateway;
my CreditCard $credit_card = $cgi->param("credit_card");
my CreditCard $expiry = $cgi->param("expiry");
my $foo = "$credit_card $expiry"; # Foo is now
# CreditCard type too.
print $foo; # NOT ALLOWED, program terminates
print STDERR $foo; # NOT ALLOWED, program terminates
print FILE $foo; # NOT ALLOWED, program terminates
my CreditCardGateway $gateway;
open ($gateway, "| cc_card_gateway") or die "failed to open gateway: $
+!";
print $gateway $foo; # ALLOWED
print $gateway $credit_card; # ALLOWED
print $gateway $expiry; # ALLOWED
$foo++; # Still of CreditCard type...
We'd probably also want a way to allow cleaning of these variables so they could be printed to files, or sent as email etc. Perhaps something like this:
restrict CreditCard, CreditCardGateway;
filter CreditCard, \&clean_credit_card;
my CreditCard $credit_card = $cgi->param("credit_card");
print $credit_card; # ALLOWED (filters card)
my CreditCardGateway $gateway;
open ($gateway, "| cc_card_gateway") or die "failed to open gateway: $
+!";
print $gateway $credit_card; # ALLOWED (prints full
# details)
# very very naive cleaning function
sub clean_credit_card {
my ($restricted) = @_;
$restricted = s/.{12}/./; # replace 12 digits with .s
return $restricted;
}
By providing a filter function we should be able to send this data on any output. Outputs which are of the correct type get the full data and everything else gets the filtered data. The absense of a nominated filter ensures that the output can ONLY be sent to correct outputs.
What this gives us is the ability to specifically choose where our data can go. We still have to make sure that we correctly filter stuff (just like we shouldn't use the regexp
/(.*)/ in taint checking) but it helps us be just that little bit more sure that we're not going to make stupid mistakes and send out private date to the wrong person/process.
So, does anyone other than pjf and I think this would be worth while?
Update: changed the title
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
