|P is for Practical|
Re^3: Taint mode limitationsby BrowserUk (Pope)
|on Nov 03, 2012 at 14:51 UTC||Need Help??|
My issue is that Perl tries to "guess" when I have looked at the the input ("gee, the programmer captured some match groups from a regexp match on that input, so it MUST mean that he sanitized it"), instead of letting me tell it when I think I have looked at it closely enough (for example, but invoking a method untainted() on a variable).
Perl isn't "guessing". It is following the clearly laid out rule for 'detainting'. That is:
Perl presumes that if you reference a substring using $1, $2, etc., that you knew what you were doing when you wrote the pattern.
And it goes on to say:
That means using a bit of thought--don't just blindly untaint anything, or you defeat the entire mechanism.
That may not be how you think it should work; but it is the way it does work. For better or worse.
You can try putting forwards your arguments for a different -- presumably better in your eyes -- way of working; but given how long the current mechanism has been in place; that the mechanism is -- has to be -- deeply embedded within the Perl core; and the historic convention that says Perl does not break backward compatibility; and the net result is that you will have to learn to live with what is; because it is very unlikely to change at this point in time.
With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.