Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Checking to see if Taint mode is enabled

by saintly (Scribe)
on Mar 17, 2007 at 00:08 UTC ( [id://605241]=perlquestion: print w/replies, xml ) Need Help??

saintly has asked for the wisdom of the Perl Monks concerning the following question:

I'm developing a database interface that will be used by other developers in my office. As part of our 'best practices' policies, we strongly discourage using unvalidated data in database searches. To help enforce this policy, I've got the database query parser spitting out a warning if the query is tainted, or if taint mode is disabled. After searching the net for a while, I haven't found any better way of checking to see if an expression is tainted other than the code in the 'perlsec' man page:
sub is_tainted { return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 }; }
And for checking whether taint mode is enabled at all, I've been using this ugly code that passes what should theoretically be always tainted:
$taintModeEnabled = &is_tainted( +(getpwuid(0))[1] );
But now I've run into problems. getpwuid() works great on UNIX systems, but in ActiveState Perl on Windows, it breaks. So my questions are:
  1. Is there a better way to check for taintedness of a variable, say with a CPAN module (or some internal Perl thing I can check if I create my own XS module)?
  2. Is there a better way to check if Taint mode is enabled at all? In my dusty Perl reference, I see there's $^W which tells you if Warnings are enabled, but nothing for Taint.
  3. Is there some source of data that should *always* be tainted, on both Windows & UNIX systems? %ENV isn't necessarily going to be tainted since you can clean it by setting it. <STDIN> is hard to check if there isn't any, etc..
Insert some joke with vaguely sexual innuendo about checking taints here

Thanks!
  • Saintly

Replies are listed 'Best First'.
Re: Checking to see if Taint mode is enabled
by Thelonius (Priest) on Mar 17, 2007 at 01:07 UTC
    ${^TAINT}

    Reflects if taint mode is on or off. 1 for on (the program was run with -T), 0 for off, -1 when only taint warnings are enabled (i.e. with -t or -TU).

    In Perl 5.8.
      You have to use that new global inside an eval for backwards compatibility:
      sub is_tainted { my $taint; if ( $] >= 5.008 ) { $taint = eval '${^TAINT}'; } else { # some work around ... } $taint; }
Re: Checking to see if Taint mode is enabled
by kyle (Abbot) on Mar 17, 2007 at 00:27 UTC

    The contents of your current directory are tainted (when I tried it, at least).

    sub is_tainted { return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 }; } opendir my $dot_fh, '.' or die "Can't opendir .: $!"; my ($any_file) = readdir $dot_fh; closedir $dot_fh; print "tainted\n" if is_tainted( $any_file );
      sub is_tainted { return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 }; }
      Ingenious, but unnecessary. There's Scalar::Util::tainted.

      Anno

Re: Checking to see if Taint mode is enabled
by ferreira (Chaplain) on Mar 17, 2007 at 18:00 UTC
    Is there a better way to check for taintedness of a variable, say with a CPAN module (or some internal Perl thing I can check if I create my own XS module)?

    The immediate solution that comes to my mind is to use Scalar::Util which belongs to core since 5.7.3 and its tainted function. From the module's documentation:

    =item tainted EXPR Return true if the result of EXPR is tainted $taint = tainted("constant"); # false $taint = tainted($ENV{PWD}); # true if running under -T

    You may learn more about in the sections of perlsec devoted to tainting. You will find there the expression mentioned by Anno at Re^2: Checking to see if Taint mode is enabled and the recommendation for Scalar::Util::tainted (also mentioned in the same node) if you're using 5.8.0 or later.

Re: Checking to see if Taint mode is enabled
by saintly (Scribe) on Mar 18, 2007 at 16:56 UTC
    Thanks very much! I'll probably use some combination of these so that the taint module works on whatever version of Perl we have installed on production & test machines. I hadn't thought of readdir(). =)

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://605241]
Approved by kyle
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (5)
As of 2024-03-19 05:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found