|
Re: What's your favourite method of untainting?
by rob_au (Abbot) on Dec 14, 2005 at 12:11 UTC
|
For those who are unaware, the untainting method described in the third option refers specifically to tainting behaviour for hash keys - That is, hash keys are not tainted, ever. From perlsec - Because taintedness is associated with each scalar value, some elements of an array or hash can be tainted and others not. The keys of a hash are never tainted.
perl -le "print unpack'N', pack'B32', '00000000000000000000001000000000'"
| [reply] |
|
|
As per WikiPedia Taint means
in computer science, in particular in the Perl programming language, "tainted" data are considered untrusted and are treated with caution
Some Guru may want to add some more information to it, since it is described in a short manner.
| [reply] |
Re: What's your favourite method of untainting?
by rinceWind (Monsignor) on Dec 14, 2005 at 11:13 UTC
|
A blessed horn of a unicorn untaints everything
Is a 'horn' synonymous with a reference I wonder :). There's potential for a new Acme:: module here.
--
Oh Lord, won’t you burn me a Knoppix CD ?
My friends all rate Windows, I must disagree.
Your powers of persuasion will set them all free,
So oh Lord, won’t you burn me a Knoppix CD ?
(Missquoting Janis Joplin)
| [reply] |
|
|
I'll bite.
Note: Untested. And no, I'm not uploading this.
-Bryan
Update: It seems my untested code did have a flaw! Thanks ambrus++.
| [reply]
[d/l] |
|
|
($foo) = ($variable =~ /^(.*)$/g);
shouldn't you add an s switch to the regexp so that it would match multi-line strings? | [reply]
[d/l]
[select] |
Re: What's your favourite method of untainting?
by tbone1 (Monsignor) on Dec 14, 2005 at 13:29 UTC
|
s/\r\n/\n/g;
--
tbone1, YAPS (Yet Another Perl Schlub)
And remember, if he succeeds, so what.
- Chick McGee
| [reply] |
|
|
Isn't that called deBilling?
| [reply] |
Re: What's your favourite method of untainting?
by Nkuvu (Priest) on Dec 14, 2005 at 17:07 UTC
|
Personally like the method: my ($foo) = $var =~ /^.*$/
It's the "I don't care what was there, but now I'm sure it's safe" untaint method. And it looks more impressive than my $foo = 1.
</tongue_in_cheek>
| [reply]
[d/l]
[select] |
Re: What's your favourite method of untainting?
by neosamuri (Friar) on Dec 14, 2005 at 20:47 UTC
|
A blessed horn of a unicorn untaints everything
This sounds like a NetHack reference. Which brings to mind
what can be done with the union of Nethack and perl. | [reply] |
|
|
| [reply] |
|
|
| [reply] |
Re: What's your favourite method of untainting?
by SirBones (Friar) on Dec 15, 2005 at 13:15 UTC
|
| [reply] |
Re: What's your favourite method of untainting?
by ambrus (Abbot) on Dec 16, 2005 at 11:53 UTC
|
$string =~ /\A(.*)\z/s or die; $string = $1;
however this one is also nice (for byte strings):
$x = pack "B*", do { unpack "B*", $x };
it appears that if you take a string apart to bits and reassemble, the result is untainted as the individual bits can't be tainted. In contrast, bytes are eight times larger then characters so they're large enough for taint to stick on them, thus the following doesn't untaint the string but returns it unchanged.
$x = pack "C*", do { unpack "C*", $x }; # wrong
| [reply]
[d/l]
[select] |
Those options all scare me...
by jonadab (Parson) on Dec 16, 2005 at 14:36 UTC
|
I thought the whole point of running in taint mode in the first place was to remind yourself to sanity-check all the user input and ensure it doesn't have any bizarroid stuff in it that you didn't expect, and that the recommended best practice was to combine untainting with validating, as in
($num) = $num =~ /(\d+)/;
($str) = $str =~ /([A-Za-z0-9_-]+)/;
i.e., everything not specifically allowed is verboten. | [reply]
[d/l] |
Re: What's your favourite method of untainting?
by Happy-the-monk (Canon) on Dec 14, 2005 at 12:25 UTC
|
A blessed horn of a unicorn untaints everything
There's no general way to untaint my vars, as they aren't supposed to contain general values. To make sense, each plausibility check needs to be done individually as to what needs to be checked for, thereby untainting the variable. Simplifying that much doesn't make sense in real life.
Don't blame me for not getting the joke this time =)
I got it, will use the unicorn's horn...
Cheers, Sören
| [reply] |
Re: What's your favourite method of untainting?
by hardburn (Abbot) on Dec 16, 2005 at 00:29 UTC
|
No, no, no! Only my method gives perfect security:
undef $val;
Let me see you h4x0rs get past that!
"There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.
| [reply]
[d/l] |
Re: What's your favourite method of untainting?
by ysth (Canon) on Dec 15, 2005 at 05:10 UTC
|
| [reply]
[d/l] |
Re: What's your favourite method of untainting?
by japhy (Canon) on Dec 16, 2005 at 16:26 UTC
|
WTF is up with the fourth option? It's got a syntax error, and I can't see how it could possibly work.
| [reply] |
|
|
($foo) = ($val =~ /^(?!.).$/);
and the essence of it is, that it never accepts any incoming data (albeit in a roundabout way). | [reply]
[d/l] |
Re: What's your favourite method of untainting?
by Anonymous Monk on Dec 14, 2005 at 12:40 UTC
|
| [reply] |
Re: What's your favourite method of untainting?
by kwaping (Priest) on Dec 17, 2005 at 03:20 UTC
|
| [reply]
[d/l] |
Re: What's your favourite method of untainting?
by gu (Beadle) on Dec 19, 2005 at 08:32 UTC
|
What ? You all wise monks don't even have a USB blessed horn of a unicorn ?
Gu | [reply] |
Re: What's your favourite method of untainting?
by ambrus (Abbot) on Feb 18, 2008 at 16:35 UTC
|
| [reply] |
Re: What's your favourite method of untainting?
by TedPride (Priest) on Dec 16, 2005 at 16:26 UTC
|
I don't untaint with Perl, because I only use it for admin scripts and personal use. My vote goes to blessed horn of a unicorn. | [reply] |
![[bar]](/images/bluebox.gif){kind=small}
102/35%