Do you know where your variables are? | |
PerlMonks |
Re: Re: Re: *Web Securityby ariels (Curate) |
on Jun 23, 2002 at 11:31 UTC ( [id://176588]=note: print w/replies, xml ) | Need Help?? |
Well, not all Perl scripts/programs are run as CGI applications. Almost none of mine are. Where I work, almost all scripts are run from the command-line or some batch system, not from the Web. And I'll wager Perl still has more non-Web applications than Web applications. (No, I have no data to back this statement, except my distorted viewpoint. But I'm claiming Perl is general-purpose, while others claim it's special-purpose; I'd say the burden of proof is on Them.)
How's a poor perl6 interpreter to know if it should "autoenable taint" for all my programs? It cannot miraculously guess it's running as a CGI program, because that would force perl6 to know about one particular (if common) setup. Not only would that leave many holes, but these holes would also be more dangerous -- due to the illusion of security generated. Should perl6 run in taint mode for all programs, except if explicitly disabled? This would mean Perl becomes a language which doesn't trust any input. It means I have to flag a whole class of scripts with "no, it's not a CGI script". This is wholly unlike warnings and strict: whereas use warnings and use strict are universally good ideas (except for a few places where they're not so hot), taint is useful only for programs with input that is less trusted than their execute permission bits. I don't want to have to begin every Perl6 program of mine with Each of these hypothetical defaults I switch off would make excellent sense... for a particular family of applications. I want a general-purpose programming language. Perl's taint mechanism is an intriguing addition to the datatype mechanism. But it's certainly not always needed.
In Section
Meditations
|
|