Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
It's a way of (hopefully) stopping you from making silly mistakes.

Every piece of data that comes to the script that is used outside the script is considered tainted unless you explicitly grab it from a regular expression (I think, there may be other ways to untaint though).

Why is this useful? Let's say you had a script that uploaded a domain from a web page and you wanted to ping that domain.

my $q = CGI->new(); my $domain = $q->param('domain'); my $result = `ping $domain`;
Under taint, this would die because you're trying to pipe some untainted data to an external program. Imagine what would happen if some malicious user uploaded "localhost; rm -rf /" as the domain name!

So, under taint, you would need to explicitly grab the domain from the variable:

my $domain=''; $q->param('domain') =~ /^([a-zA-Z0-9\.]+)$/ and $domain = $1;
That's just a rough expression to grab the domain. The point is that you know that there won't be anything malicious in $domain when it's assigned.

But, untainting data in itself does not protect you. You could, if you wished, untaint it like this:

$q->param('domain') =~ /^(.+)$/ and $domain = $1;
but you won't have added to your security understanding if you do :) There are times though, when you don't care what a value contains and, in those instances, it would be perfectly acceptable to untaint like that. Just as long as you know for sure!

I wrote a little article on it here if you're interested.


cLive ;-)

In reply to Re: So, now what are taints? by cLive ;-)
in thread So, now what are taints? by muba

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others romping around the Monastery: (3)
    As of 2018-05-25 05:59 GMT
    Find Nodes?
      Voting Booth?