Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

(tye)Re: Alternatives to Taint Checking?

by tye (Cardinal)
on May 24, 2001 at 03:29 UTC ( #82771=note: print w/ replies, xml ) Need Help??


in reply to Alternatives to Taint Checking?

But in the context of taint checking w/ CGI, isn't the main point just that you should scrub your CGI parameters?? Your web server should not be set-UID to root so the security problem is that stuff from "the world" needs to be checked.

So isn't a reasonable solution as simple as replacing the few CGI.pm methods that get data from the client with versions that require "scrubbing instructions"? I'd probably make a tiny hack to CGI.pm to prevent it from being used directly and then make a CGI::Safe where the param() method is a fatal error but safeparam() requires an extra argument that is the scrubbing instructions.

I'd support a few formats of scrubbing instructions. You should make the most common case of requiring the parameter value to match /^\w[-\w.]*\z/ be very easy. But if a ref to a regex is provided, then apply the regex and die if it fails, return $1 if successful. If a code ref is provided, just run that code.

        - tye (but my friends call me "Tye")


Comment on (tye)Re: Alternatives to Taint Checking?
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://82771]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (13)
As of 2015-07-02 13:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (40 votes), past polls