Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Re^8: Taint mode limitations

by Anonymous Monk
on Nov 04, 2012 at 16:33 UTC ( #1002220=note: print w/replies, xml ) Need Help??

in reply to Re^7: Taint mode limitations
in thread Taint mode limitations

Alain is now faced with a problem of fixing up his -- self-described -- poor code.

I never said that the code is poor. It just wasn't written with security in mind. But it is very well designed and modular, and it will be almost trivial to add a user input sanitization layer to it (see:

This layer will protect my app against malicious user input, to the full extent of what is possible given the current limitations of taint mode. But it will still leave many possibilities for error which would be caught if the features I suggest were added to taint mode.

And given the existing mechanism is used my millions of pieces of code out there in the real world; and there is no real way to make his explicit de-tainting mechanism co-exist with the current mechanism; the likelyhood of it ever being implemented is very low.

I may be wrong, but I think the taint mode enhancements I propose are completely compatible with the current taint mode. All that is needed is to add an extra option to specify how lenient you want taint mode to be. The default should of course to let it be as lenient as it is now. But those of us who aren't happy with its current leniency could specify a different value for that option.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1002220]
[1nickt]: hippo You suggest this as a transport agent for Email::Sender, or ...? Just for the record Email::Sender:: Transport::SMTP has SSL/TLS support built-in (and some shiny RJBS extras like "partial success" ...)
[Perl300]: ok

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (12)
As of 2017-10-17 16:15 GMT
Find Nodes?
    Voting Booth?
    My fridge is mostly full of:

    Results (234 votes). Check out past polls.