Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Module: Override Function Calls

by Spidy (Chaplain)
on Mar 14, 2007 at 15:05 UTC ( #604832=perlquestion: print w/ replies, xml ) Need Help??
Spidy has asked for the wisdom of the Perl Monks concerning the following question:

Greetings, fellow monks.

For a recent project I've been working on, we've been using modules to toy around with all of the arguments passed to our scripts. This is all well and good, but it also means we need to implement security in all of those modules. The idea came to me: why not have a certain base function that sanitizes all of the arguments passed to the module, and then passes the newly sanitized arguments on to the function that was supposed to be called?

However, I don't know if this is possible. I figured that a monk here might know more than I do about this or if it's feasible, so I am humbly requesting your thoughts and/or tips on this.

Thanks,
Spidy

Comment on Module: Override Function Calls
Re: Module: Override Function Calls
by merlyn (Sage) on Mar 14, 2007 at 15:11 UTC
    why not have a certain base function that sanitizes all of the arguments passed to the module, and then passes the newly sanitized arguments on to the function that was supposed to be called?
    Because there is no universal "sanitizing" function. What's valid as a filename might not make sense for an email address, and vice versa. Every argument has to be considered individually, and therefore any wrapper would have to know what arguments are expected. By the time you've done all that, you might as well just subclass or edit the original subroutines, rather than wrap them.

    That's why I hate these "untaint" modules: they generally are re-opening the hole that tainting is trying to close. Every value needs to be considered individually!

      Right, you need to use something that will allow you to specifically validate all of your fields individually. If you want to actually do it right and make your security functionality more than a gesture, you need to use something like Data::FormValidator to specifically check each and every one of your arguments against a regex or lookup. I've seen way to much of this:
      # untaint! $cgi->param('field') ~= m/(.*)/; $cgi->param('field', $1);
Re: Module: Override Function Calls
by davorg (Chancellor) on Mar 14, 2007 at 15:11 UTC
Re: Module: Override Function Calls
by radiantmatrix (Parson) on Mar 15, 2007 at 14:14 UTC

    I'm not sure what you're looking for.

    If you're parsing command-line arguments, look at the Getopt family of modules. If you're trying to validate parameters passed to your modules' subroutines, you might look at Params::Validate. If you're interested in general data validation, take a look at Data::Validate and its relatives.

    Of course, if your concern is trusting user input (which seems likely given that you mention security), you may want to combine one or more of the above with using perl's -T switch to turn on taint mode (see perlsec). This will cause errors to be thrown whenever a script/module attempts to do something potentially insecure with user-supplied ("tainted") data.

    The Untaint module might be helpful in the way of building your "sanitizers".

    <radiant.matrix>
    Ramblings and references
    The Code that can be seen is not the true Code
    I haven't found a problem yet that can't be solved by a well-placed trebuchet

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://604832]
Approved by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (8)
As of 2014-12-20 18:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (97 votes), past polls