Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: So, now what are taints?

by cLive ;-) (Prior)
on Mar 28, 2004 at 22:38 UTC ( #340447=note: print w/replies, xml ) Need Help??


in reply to So, now what are taints?

It's a way of (hopefully) stopping you from making silly mistakes.

Every piece of data that comes to the script that is used outside the script is considered tainted unless you explicitly grab it from a regular expression (I think, there may be other ways to untaint though).

Why is this useful? Let's say you had a script that uploaded a domain from a web page and you wanted to ping that domain.

my $q = CGI->new(); my $domain = $q->param('domain'); my $result = `ping $domain`;
Under taint, this would die because you're trying to pipe some untainted data to an external program. Imagine what would happen if some malicious user uploaded "localhost; rm -rf /" as the domain name!

So, under taint, you would need to explicitly grab the domain from the variable:

my $domain=''; $q->param('domain') =~ /^([a-zA-Z0-9\.]+)$/ and $domain = $1;
That's just a rough expression to grab the domain. The point is that you know that there won't be anything malicious in $domain when it's assigned.

But, untainting data in itself does not protect you. You could, if you wished, untaint it like this:

$q->param('domain') =~ /^(.+)$/ and $domain = $1;
but you won't have added to your security understanding if you do :) There are times though, when you don't care what a value contains and, in those instances, it would be perfectly acceptable to untaint like that. Just as long as you know for sure!

I wrote a little article on it here if you're interested.

.02

cLive ;-)

Replies are listed 'Best First'.
Re: Re: So, now what are taints?
by matija (Priest) on Mar 29, 2004 at 05:54 UTC
    You are forgetting not mentioning that there are actualy two pieces of data there that need untainting: one is the domain parameter obtained from the CGI, but the other is the PATH of your program. If you use backticks like that, and don't set up your PATH explicitly, perl -T will complain.

    That appears not to make sense in a CGI environment, but it makes a lot of sense when you're writing setuid root scripts that can be run from the command line.

      Indeed. Sorry - but it is mentioned in the article I linked to that I wrote on untainting :)

      cLive ;-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://340447]
help
Chatterbox?
[Corion]: marto: Oh, I'm jealous. I'm going to see DM in Frankfurt, but it's a stadium full of people, so, rather a big thing where you mostly get to see the band on screens ;)
[marto]: yes, the last time I saw them was in Berlin a few years ago, at the old Olympic stadium
[marto]: After Sunday I don't think I'll go see them again :)
[LanX]: Corion: come on, people are people! ;)
[Corion]: Naah, I think it's still an OK show so far. Their new songs aren't exactly great, but I'm not going there for new material anyway ;)
[marto]: I got the feeling from the last show that for big sections of it, they were not really into what they were doing
[Corion]: LanX: Sure, they can bask in my Halo
[marto]: more so than the previous show I saw
[Corion]: marto: Well, I think they go a tour every two years and I think it's hard to even get a connection with the crowd at a 20k people concert... But maybe after this time I'll stop too ;)
[Corion]: I still have to see the Pet Shop Boys live before they stop touring at all

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (13)
As of 2017-03-24 11:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Should Pluto Get Its Planethood Back?



    Results (301 votes). Check out past polls.