http://www.perlmonks.org?node_id=176583


in reply to Web Security

Is there really that lack of clues out there? I don't know whether to be more scared or saddened.

Unfortunately, yes there is. Code like this, and worse, is used everywhere. And it's often very easy to find, even without the code. There are a lot of domain name providers that have whois lookup scripts to check if a certain domain is available. Many of those use qx// with raw, unparsed (and apparently never tainted) user input. Strangely, the domain perl.com; echo 'No match for "PERL.COM".' often is available.

Size of the company seems not to matter. Small and large companies both have incompetent coders. I am saddened, but a bit scared too. Maybe Perl should be harder, to avoid clueless people from coding without reading documentation?

- Yes, I reinvent wheels.
- Spam: Visit eurotraQ.

Replies are listed 'Best First'.
Re^2: Web Security
by Aristotle (Chancellor) on Jun 23, 2002 at 10:46 UTC

    How about making Perl6 autoenable taint in somewhat the same way it will autoenable warnings for scripts? :) If people's scripts die because they're doing something insecure, and then said people go ahead and circumvent or disable taints, they really won't have any excuses.

    Update: If it wasn't obvious: this post was somewhat tongue-in-cheek. :) Maybe more smilies would help? ;)

    Makeshifts last the longest.

      Well, not all Perl scripts/programs are run as CGI applications. Almost none of mine are. Where I work, almost all scripts are run from the command-line or some batch system, not from the Web. And I'll wager Perl still has more non-Web applications than Web applications. (No, I have no data to back this statement, except my distorted viewpoint. But I'm claiming Perl is general-purpose, while others claim it's special-purpose; I'd say the burden of proof is on Them.)

      How's a poor perl6 interpreter to know if it should "autoenable taint" for all my programs? It cannot miraculously guess it's running as a CGI program, because that would force perl6 to know about one particular (if common) setup. Not only would that leave many holes, but these holes would also be more dangerous -- due to the illusion of security generated.

      Should perl6 run in taint mode for all programs, except if explicitly disabled? This would mean Perl becomes a language which doesn't trust any input. It means I have to flag a whole class of scripts with "no, it's not a CGI script". This is wholly unlike warnings and strict: whereas use warnings and use strict are universally good ideas (except for a few places where they're not so hot), taint is useful only for programs with input that is less trusted than their execute permission bits.

      I don't want to have to begin every Perl6 program of mine with

      #!/usr/local/bin/perl6 no taint; # Don't pretend I don't know how # to run a program no CGI; # Don't parse CGI parameters no Application::Web; # Don't overload open to open URLs no GUI::Tk; # Don't do "new Tk::MainWindow" no GUI::Any; # Don't wrap my script in an event # loop. no DBI; # Don't automatically connect to # a database no Pod::Any; # Don't print a blank line before # and after every line beginning "=" no HTML; # Don't switch regexp syntax no Net; # Don't set $|=1 #use strict; # Unneeded in Perl6! Yippee! #use warnings; # - ditto -
      Each of these hypothetical defaults I switch off would make excellent sense... for a particular family of applications.

      I want a general-purpose programming language. Perl's taint mechanism is an intriguing addition to the datatype mechanism. But it's certainly not always needed.

        Your point is well taken and I agree whole-heartedly. However, wouldn't it be nice if you could turn on taint mode when you turn on a certain package? In other words, what if use CGI; could be modified to always turn on Taint at the same time? There might be other modules that could benefit from this, too.

        Gary Blackburn
        Trained Killer