Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re: Re: Re: *Web Security

by ariels (Curate)
on Jun 23, 2002 at 11:31 UTC ( [id://176588]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Web Security
in thread Web Security

Well, not all Perl scripts/programs are run as CGI applications. Almost none of mine are. Where I work, almost all scripts are run from the command-line or some batch system, not from the Web. And I'll wager Perl still has more non-Web applications than Web applications. (No, I have no data to back this statement, except my distorted viewpoint. But I'm claiming Perl is general-purpose, while others claim it's special-purpose; I'd say the burden of proof is on Them.)

How's a poor perl6 interpreter to know if it should "autoenable taint" for all my programs? It cannot miraculously guess it's running as a CGI program, because that would force perl6 to know about one particular (if common) setup. Not only would that leave many holes, but these holes would also be more dangerous -- due to the illusion of security generated.

Should perl6 run in taint mode for all programs, except if explicitly disabled? This would mean Perl becomes a language which doesn't trust any input. It means I have to flag a whole class of scripts with "no, it's not a CGI script". This is wholly unlike warnings and strict: whereas use warnings and use strict are universally good ideas (except for a few places where they're not so hot), taint is useful only for programs with input that is less trusted than their execute permission bits.

I don't want to have to begin every Perl6 program of mine with

#!/usr/local/bin/perl6 no taint; # Don't pretend I don't know how # to run a program no CGI; # Don't parse CGI parameters no Application::Web; # Don't overload open to open URLs no GUI::Tk; # Don't do "new Tk::MainWindow" no GUI::Any; # Don't wrap my script in an event # loop. no DBI; # Don't automatically connect to # a database no Pod::Any; # Don't print a blank line before # and after every line beginning "=" no HTML; # Don't switch regexp syntax no Net; # Don't set $|=1 #use strict; # Unneeded in Perl6! Yippee! #use warnings; # - ditto -
Each of these hypothetical defaults I switch off would make excellent sense... for a particular family of applications.

I want a general-purpose programming language. Perl's taint mechanism is an intriguing addition to the datatype mechanism. But it's certainly not always needed.

Replies are listed 'Best First'.
Re: Re: Re: Re: *Web Security
by Trimbach (Curate) on Jun 23, 2002 at 19:44 UTC
    Your point is well taken and I agree whole-heartedly. However, wouldn't it be nice if you could turn on taint mode when you turn on a certain package? In other words, what if use CGI; could be modified to always turn on Taint at the same time? There might be other modules that could benefit from this, too.

    Gary Blackburn
    Trained Killer

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://176588]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others admiring the Monastery: (4)
As of 2024-03-29 06:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found