Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re: Untainting safely. (b0iler proofing?)

by tadman (Prior)
on Jun 26, 2002 at 00:03 UTC ( #177240=note: print w/replies, xml ) Need Help??


in reply to Untainting safely. (b0iler proofing?)

I'm completely stunned that you'd suggest not using regexes for parsing. They might be hard to get "right", but I assure you, getting the same effect with ord and unpack is going to be a struggle you don't want to pursue.

Peer review and a huge number of test cases, especially those culled from real-world experience, can help make your validation routine more robust. For example, check through your current database and make sure everything passes before unleashing your validator on the Web site. It's really unpleasant to find out that Really Important Customer XYZ can't post their Really Big Order because their part number has a dash in it, and your validator rejects that as invalid.
  • Comment on Re: Untainting safely. (b0iler proofing?)

Replies are listed 'Best First'.
Re: Re: Untainting safely. (b0iler proofing?)
by Anonymous Monk on Jun 26, 2002 at 02:10 UTC

    I'm completely stunned that you'd suggest not using regexes for parsing

    Did you read the article? if not, please take the time to scan it (search for "s/" to get to the relavent sections) and perhaps you'll see why this method (ord() and unpack())seemed appealing. The way the interpolation that regexs do can be exploited to bypass even the most sophisticated set of multiple passes with regex to sanitise a user supplied path is simply scary.

    Peer review and a huge number of test cases, especially those culled from real-world experience

    Exactly why I was suggesting development of such code here! There are very few huge corporations and many millions of small companies in the world. The big ones have the budgets for such in-depth, in-house development, review and expertise. The rest have often one or two developers who are responsible for developing and maintaining the code. No possibility of enlisting more than there own expertise in reviewing their own work. And whilst when the big ones make mistakes, they have the have the funds to correct them. When the small ones make mistakes, the finacial costs of correction are often too much for their small net worths to bear and they go under taking the jobs they provided with them. Permenantly.

    Expertise takes either time or money. Those that have invested the time, charge substantially to hire that expertise to others. The big guys have the money to grow that expertise internally or buy it externally. They are still making mistakes. The small guy has neither choice.

    I don't understand why the idea of utilising the collective resourses of PM to address and simplify the process of handling security--the one thing that (as I have seen all over PM) is at the top of almost every single IT experts', of any flavour, list of major priorities--is so shocking?

    BrowserUK (mistakenly posted anonymously)

    Added attributio - dvergin 2002-06-28

      The small guy has neither choice.
      And there's where you're wrong again.

      It's the cost of doing business plain and simple. If you can't include security as part of your budget and still make a profit, you've got a bad business plan.

      It's just as wrong to cheat on security costs as it is to cheat on paying Uncle Sam his share. If you wouldn't even dream of the latter, why are you even debating the former?

      -- Randal L. Schwartz, Perl hacker

      Please accept my apologies. I have just realised than when I made the post to which this is a reply, and this earlier post, I was was not logged in. So they have come up as Anonymous Monk not as me. I don't know how (or if) this can be corrected?

      If not, I offer this post for any that feel the need for --.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://177240]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (2)
As of 2021-08-01 22:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My primary motivation for participating at PerlMonks is: (Choices in context)








    Results (16 votes). Check out past polls.

    Notices?