Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Re^2: To taint or not to taint?

by clinton (Priest)
on Mar 19, 2009 at 15:34 UTC ( #751756=note: print w/ replies, xml ) Need Help??

in reply to Re: To taint or not to taint?
in thread To taint or not to taint?

For data coming from users, yes, absolutely agree.

For internal data, eg paths from your config files which are readable only by root, would you still want this enabled? Would you do any real checks on these, or just untaint them blindly?

Comment on Re^2: To taint or not to taint?
Re^3: To taint or not to taint?
by tilly (Archbishop) on Mar 19, 2009 at 15:40 UTC
    The point of taint checking is to make the programmer decide what is risky. Obviously the config file that is that protected is safe, and so blindly untainting it is reasonable. That is the cost of the double-check that the checks I care about on my users really are being done as I think they are.

      Makes sense.

      Which has made me think, I could change my config loader to automatically untaint all the data it loads from a file if the file is writable only by the current user, no?

        That would be a perfectly reasonable change for any non-suid script. Because any damage that can be done by changing that file can be done more easily directly without using your script.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://751756]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (18)
As of 2014-09-16 17:31 GMT
Find Nodes?
    Voting Booth?

    How do you remember the number of days in each month?

    Results (38 votes), past polls