Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW

Re^2: Web Security

by Aristotle (Chancellor)
on Jun 23, 2002 at 10:46 UTC ( #176586=note: print w/replies, xml ) Need Help??

in reply to Re: *Web Security
in thread Web Security

How about making Perl6 autoenable taint in somewhat the same way it will autoenable warnings for scripts? :) If people's scripts die because they're doing something insecure, and then said people go ahead and circumvent or disable taints, they really won't have any excuses.

Update: If it wasn't obvious: this post was somewhat tongue-in-cheek. :) Maybe more smilies would help? ;)

Makeshifts last the longest.

Replies are listed 'Best First'.
Re: Re: Re: *Web Security
by ariels (Curate) on Jun 23, 2002 at 11:31 UTC
    Well, not all Perl scripts/programs are run as CGI applications. Almost none of mine are. Where I work, almost all scripts are run from the command-line or some batch system, not from the Web. And I'll wager Perl still has more non-Web applications than Web applications. (No, I have no data to back this statement, except my distorted viewpoint. But I'm claiming Perl is general-purpose, while others claim it's special-purpose; I'd say the burden of proof is on Them.)

    How's a poor perl6 interpreter to know if it should "autoenable taint" for all my programs? It cannot miraculously guess it's running as a CGI program, because that would force perl6 to know about one particular (if common) setup. Not only would that leave many holes, but these holes would also be more dangerous -- due to the illusion of security generated.

    Should perl6 run in taint mode for all programs, except if explicitly disabled? This would mean Perl becomes a language which doesn't trust any input. It means I have to flag a whole class of scripts with "no, it's not a CGI script". This is wholly unlike warnings and strict: whereas use warnings and use strict are universally good ideas (except for a few places where they're not so hot), taint is useful only for programs with input that is less trusted than their execute permission bits.

    I don't want to have to begin every Perl6 program of mine with

    #!/usr/local/bin/perl6 no taint; # Don't pretend I don't know how # to run a program no CGI; # Don't parse CGI parameters no Application::Web; # Don't overload open to open URLs no GUI::Tk; # Don't do "new Tk::MainWindow" no GUI::Any; # Don't wrap my script in an event # loop. no DBI; # Don't automatically connect to # a database no Pod::Any; # Don't print a blank line before # and after every line beginning "=" no HTML; # Don't switch regexp syntax no Net; # Don't set $|=1 #use strict; # Unneeded in Perl6! Yippee! #use warnings; # - ditto -
    Each of these hypothetical defaults I switch off would make excellent sense... for a particular family of applications.

    I want a general-purpose programming language. Perl's taint mechanism is an intriguing addition to the datatype mechanism. But it's certainly not always needed.

      Your point is well taken and I agree whole-heartedly. However, wouldn't it be nice if you could turn on taint mode when you turn on a certain package? In other words, what if use CGI; could be modified to always turn on Taint at the same time? There might be other modules that could benefit from this, too.

      Gary Blackburn
      Trained Killer

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://176586]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (4)
As of 2017-12-12 01:21 GMT
Find Nodes?
    Voting Booth?
    What programming language do you hate the most?

    Results (321 votes). Check out past polls.