Re: Re: Why use taint

This is an archived low-energy page for bots and other anonmyous visitors. Please sign up if you are a human and want to interact.

Only data that is used in external calls must be taint checked. For example, when a name is put in a cookie, just for fun, there's absolutely no reason to taint check it

Absolutely no reason to taint check? What if the name they give you contains "\r\n"? If you blindly copied that name into a Set-Cookie header, someone could insert arbitrary HTTP headers and HTML content into your output with a cross-site scripting attack.

you should think about encoding it, though

Encoding will solve this problem in most cases. CGI.pm automatically url-escapes cookie contents, which is yet another reason to always use it.

Comment on Re: Re: Why use taint

Replies are listed 'Best First'.
Re: Re: Re: Why use taint by Juerd (Abbot) on Mar 10, 2002 at 04:33 UTC
As you said, encoding solves the problem. And I don't like CGI.pm, and won't use it unless forced. Not even for cookies, I'd use CGI::Cookie for that, if I have to (note: CGI::Cookies is used by CGI.pm). Or I'd just write a quick-and-dirty regex like `s/(\W)/sprintf "%%%02x", ord $1/ge`. 44696420796F7520732F2F2F65206F 7220756E7061636B3F202F6D736720 6D6521203A29202D2D204A75657264	[reply]

• hippo

‥ epoptai's answer Re: how do I set a cookie and redirect was blessed by hippo!

• erzuuli

‥ Anonymous Monks are no longer allowed to use Super Search, due to an excessive use of this resource by robots.


We don't bite newbies here... much
	PerlMonks