[5.8.0 Note] use Taint or die

With Perl 5.8.0, a new special variable has been introduced, ${^TAINT}, which indicates whether taint mode is enabled - See perldelta. The following little block of code has been written to show how this variable may be of used to ensure the application of taint mode with code which may accept potentially dangerous input from outside of the codebase.

Moreover, I wanted to write a piece of code that mandated the requirement of taint mode where the lexical term 'use Taint' was employed. Subsequently, I wasn't sure if this post rightly belonged in Meditations or Poetry :-)

package Taint;

require 5.8.0;

use Carp;

croak( 'Code execution called without -T (taint) switch' ) unless ${^T
+AINT};

1;

__END__
[download]

And in usage ...

kathmandu:/home/development/perl-5.8.0# ./bin/perl5.8.0 -e 'use Taint'
Code execution called without -T (taint) switch at -e line 1
Compilation failed in require at -e line 1.
BEGIN failed--compilation aborted at -e line 1.
kathmandu:/home/development/perl-5.8.0# ./bin/perl5.8.0 -T -e 'use Tai
+nt'
kathmandu:/home/development/perl-5.8.0#
[download]

perl -e 'print+unpack("N",pack("B32","00000000000000000000000111101101")),"\n"'

Comment on [5.8.0 Note] use Taint or die Select or Download Code

Replies are listed 'Best First'.
Re: [5.8.0 Note] use Taint or die by RMGir (Prior) on Nov 29, 2002 at 13:23 UTC
Cool... Since the package doesn't turn tainting on, but only enforces it, maybe it should be named something like "ForceTaint" or "CheckTaint" instead? -- Mike	[reply]
Re: [5.8.0 Note] use Taint or die by Abigail-II (Bishop) on Nov 29, 2002 at 13:31 UTC
But you can't rely on it checking for Tainting, or forcing it. Why? Because you are using the module while taint isn't in effect. Which means that `@INC` could already have been tampered with (for instance, because you got a nasty `PERL5LIB` environment variable). And if `@INC` was tampered with, it could mean you aren't using the module you think you are using. Abigail	[reply] [d/l] [select]
Re: Re: [5.8.0 Note] use Taint or die by theorbtwo (Prior) on Nov 29, 2002 at 23:11 UTC
It is, however, significantly better then nothing, esp. if used properly. Specificly, you should "use Taint" before even looking at possibly tainted data, as far as you can get away with it. If it's the second line in your file (after the shabang), that's a very small window to mess things up. Additionaly, unless you advertise it (such as by using CGI::Carp :fatalsToBrowser), they won't know you're using the Taint module, and thus not design their crack to account for it. Essensialy, the only attack left is to try to mess up PERL5LIB (or possibly PATH with a tainted perl binary) before perl is invoked. It's not a bullet-proof-vest, just bullet-resistant. Still better then nothing. (The /best/ thing to do would be to have `die "INVOKED WITHOUT TAINT!" unless ${^TAINT}` directly as the second line of your script. PS -- does anybody know what ${^TAINT} is set to in "baby taint mode" (IE -t, warn on taint violation mode). I'm running 5.6.1, which doesn't support either. It might be possible to fake out ${^TAINT} checking with -t. Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).	[reply] [d/l]
Re^3: [5.8.0 Note] use Taint or die by particle (Vicar) on Nov 30, 2002 at 02:06 UTC
Re: Re^3: [5.8.0 Note] use Taint or die by theorbtwo (Prior) on Nov 30, 2002 at 02:29 UTC
Re: [5.8.0 Note] use Taint or die by Abigail-II (Bishop) on Nov 30, 2002 at 15:47 UTC


Clear questions and runnable code get the best and fastest answer
	PerlMonks