Beefy Boxes and Bandwidth Generously Provided by pair Networks vroom
Think about Loose Coupling
 
PerlMonks  

Re: Why use taint

by theguvnor (Chaplain)
on Mar 09, 2002 at 20:19 UTC ( [id://150637]=note: print w/replies, xml ) Need Help??

This is an archived low-energy page for bots and other anonmyous visitors. Please sign up if you are a human and want to interact.


in reply to Why use taint
in thread Errors in my (simple?) CGI Script!

I'm not sure why you are asserting that all parameters must specifically be untainted. I would tend to agree with Juerd that unless you're using it in a system call, it doesn't pose a security problem. (theguvnor would welcome any enlightenment to the contrary).

On the other hand, I don't understand Juerd's assertion that Perl's tainting is such a problem.

  1. You don't have to run -T if you don't want.
  2. Even when you use it, you only have to untaint those variables that you want to use in system calls.

So I don't know why Juerd is so down on Perl's tainting mechanism...

..Guv

Replies are listed 'Best First'.
Re: Re: Why use taint
by Juerd (Abbot) on Mar 09, 2002 at 20:38 UTC

    Next time, reply to the node you're commenting on, please.

    I don't use -T, but I think its use is highly overrated. I don't like -T because I trust my own code, find tainting very restricting and don't like the enormous overhead untainting involves.

    If there's one thing I hate, it's code like: 

    ($var) = $var =~ /(.*)/s; # untaint $var

# ... or ... (and the following idiom is used a lot more often (why?))

$var = $1 if $var =~ /(.*)/s;

    [download]
    But code like that is seen very, very often. And that's because tainting is often recommended without telling it's not needed when you don't do system calls. 

    44696420796F7520732F2F2F65206F
7220756E7061636B3F202F6D736720
6D6521203A29202D2D204A75657264

[reply]
[d/l]

      I was replying to the node to which I was commenting. I also happened to reference your reply to the same node, in my reply. If I had split my response I would have been --ed for lowering the signal-to-noise ratio, so I guess I'm damned if I do, damned if I don't.

      </rant>

      I was actually agreeing with you for the most part - tainting is not always required as you point out. But for CGI parameters where the user input does get anywhere near the system, I think it's a useful warning mechanism that there could be unsafe programming.

      ..Guv

[reply]
Re: Re: Why use taint
by simon.proctor (Vicar) on Mar 10, 2002 at 11:11 UTC
    I think in fairness I was neither asserting or insisting someone use taint. Rather I was expressing that it could be used and voicing a personal opinion that it should. If it wasn't clear enough that it was a matter of opinion only then apologies for any confusion caused.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://150637]
help
Sections?
Information?
Find Nodes?
Leftovers?
    Notices?
    hippoepoptai's answer Re: how do I set a cookie and redirect was blessed by hippo!
    erzuuliAnonymous Monks are no longer allowed to use Super Search, due to an excessive use of this resource by robots.