Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

chromatic recently tweeted the question:

"Should Modern::Perl enable taint mode? (If so... hm, how do I do it?)"

...which surprised me, as I tend not to use taint mode.

petdance then replied saying:

"Yes, yes, taint mode is crucial. There's rarely a reason NOT to use it."

...which surprised me even more.

I tried using taint mode throughout my application at one stage, but found myself naively untainting paths with

($path) = ($path=~/(.+)/)

which kinda defeats the purpose. Almost always, I found that the stuff I was untainting would have required root access to mess with anyway, and so I gave up on taint mode. The places where exploits were possible, I added relevant code to deal with those particular situations, and all data coming from the user gets validated.

Of course, I may have missed some situations. Maybe I'm being naive. But is enabling taint mode by default the answer to that? Doesn't it mean that, for most people, their code will just fill up with:

$path = untaint($path)

What do you think? To taint or not to taint?


In reply to To taint or not to taint? by clinton

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others about the Monastery: (10)
    As of 2018-06-20 20:48 GMT
    Find Nodes?
      Voting Booth?
      Should cpanminus be part of the standard Perl release?

      Results (117 votes). Check out past polls.