Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses

Re: Re: Re: *Web Security

by ariels (Curate)
on Jun 23, 2002 at 11:31 UTC ( #176588=note: print w/replies, xml ) Need Help??

in reply to Re^2: Web Security
in thread Web Security

Well, not all Perl scripts/programs are run as CGI applications. Almost none of mine are. Where I work, almost all scripts are run from the command-line or some batch system, not from the Web. And I'll wager Perl still has more non-Web applications than Web applications. (No, I have no data to back this statement, except my distorted viewpoint. But I'm claiming Perl is general-purpose, while others claim it's special-purpose; I'd say the burden of proof is on Them.)

How's a poor perl6 interpreter to know if it should "autoenable taint" for all my programs? It cannot miraculously guess it's running as a CGI program, because that would force perl6 to know about one particular (if common) setup. Not only would that leave many holes, but these holes would also be more dangerous -- due to the illusion of security generated.

Should perl6 run in taint mode for all programs, except if explicitly disabled? This would mean Perl becomes a language which doesn't trust any input. It means I have to flag a whole class of scripts with "no, it's not a CGI script". This is wholly unlike warnings and strict: whereas use warnings and use strict are universally good ideas (except for a few places where they're not so hot), taint is useful only for programs with input that is less trusted than their execute permission bits.

I don't want to have to begin every Perl6 program of mine with

#!/usr/local/bin/perl6 no taint; # Don't pretend I don't know how # to run a program no CGI; # Don't parse CGI parameters no Application::Web; # Don't overload open to open URLs no GUI::Tk; # Don't do "new Tk::MainWindow" no GUI::Any; # Don't wrap my script in an event # loop. no DBI; # Don't automatically connect to # a database no Pod::Any; # Don't print a blank line before # and after every line beginning "=" no HTML; # Don't switch regexp syntax no Net; # Don't set $|=1 #use strict; # Unneeded in Perl6! Yippee! #use warnings; # - ditto -
Each of these hypothetical defaults I switch off would make excellent sense... for a particular family of applications.

I want a general-purpose programming language. Perl's taint mechanism is an intriguing addition to the datatype mechanism. But it's certainly not always needed.

Replies are listed 'Best First'.
Re: Re: Re: Re: *Web Security
by Trimbach (Curate) on Jun 23, 2002 at 19:44 UTC
    Your point is well taken and I agree whole-heartedly. However, wouldn't it be nice if you could turn on taint mode when you turn on a certain package? In other words, what if use CGI; could be modified to always turn on Taint at the same time? There might be other modules that could benefit from this, too.

    Gary Blackburn
    Trained Killer

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://176588]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (6)
As of 2018-06-22 00:09 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (120 votes). Check out past polls.