http://qs1969.pair.com?node_id=516577

Vote on this poll

What's tainting?
[bar] 102/35%
($foo) = ($val =~ /^(.*)$/g);
[bar] 43/15%
($foo) = (keys %{ +{$val}});
[bar] 5/2%
($foo) = ($val =~ /^(?!.).$/
[bar] 11/4%
A blessed horn of a unicorn untaints everything
[bar] 131/45%
292 total votes
Replies are listed 'Best First'.
Re: What's your favourite method of untainting?
by rob_au (Abbot) on Dec 14, 2005 at 12:11 UTC

    For those who are unaware, the untainting method described in the third option refers specifically to tainting behaviour for hash keys - That is, hash keys are not tainted, ever. From perlsec - Because taintedness is associated with each scalar value, some elements of an array or hash can be tainted and others not. The keys of a hash are never tainted.

     

    perl -le "print unpack'N', pack'B32', '00000000000000000000001000000000'"

      As per WikiPedia Taint means
      in computer science, in particular in the Perl programming language, "tainted" data are considered untrusted and are treated with caution
      Some Guru may want to add some more information to it, since it is described in a short manner.
Re: What's your favourite method of untainting?
by rinceWind (Monsignor) on Dec 14, 2005 at 11:13 UTC
    A blessed horn of a unicorn untaints everything

    Is a 'horn' synonymous with a reference I wonder :). There's potential for a new Acme:: module here.

    --

    Oh Lord, won’t you burn me a Knoppix CD ?
    My friends all rate Windows, I must disagree.
    Your powers of persuasion will set them all free,
    So oh Lord, won’t you burn me a Knoppix CD ?
    (Missquoting Janis Joplin)

      I'll bite.

      Note: Untested. And no, I'm not uploading this.

          -Bryan

      Update: It seems my untested code did have a flaw! Thanks ambrus++.

        I think this is wrong:

        ($foo) = ($variable =~ /^(.*)$/g);
        shouldn't you add an s switch to the regexp so that it would match multi-line strings?
Re: What's your favourite method of untainting?
by tbone1 (Monsignor) on Dec 14, 2005 at 13:29 UTC
    s/\r\n/\n/g;

    --
    tbone1, YAPS (Yet Another Perl Schlub)
    And remember, if he succeeds, so what.
    - Chick McGee

      Isn't that called deBilling?
Re: What's your favourite method of untainting?
by Nkuvu (Priest) on Dec 14, 2005 at 17:07 UTC

    Personally like the method: my ($foo) = $var =~ /^.*$/

    It's the "I don't care what was there, but now I'm sure it's safe" untaint method. And it looks more impressive than my $foo = 1.
    </tongue_in_cheek>

Re: What's your favourite method of untainting?
by ambrus (Abbot) on Dec 16, 2005 at 11:53 UTC

    My favourite one is

    $string =~ /\A(.*)\z/s or die; $string = $1;
    however this one is also nice (for byte strings):
    $x = pack "B*", do { unpack "B*", $x };
    it appears that if you take a string apart to bits and reassemble, the result is untainted as the individual bits can't be tainted. In contrast, bytes are eight times larger then characters so they're large enough for taint to stick on them, thus the following doesn't untaint the string but returns it unchanged.
    $x = pack "C*", do { unpack "C*", $x }; # wrong
Re: What's your favourite method of untainting?
by neosamuri (Friar) on Dec 14, 2005 at 20:47 UTC
    A blessed horn of a unicorn untaints everything

    This sounds like a NetHack reference. Which brings to mind what can be done with the union of Nethack and perl.

      It is. And I'll bite. What specifically did you have in mind?
      Log parsing? Gamesaving? Or something More Sinister?
      -R
      -Reality might not get out of Beta today. (O.Timas, "Bot")
Re: What's your favourite method of untainting?
by ysth (Canon) on Dec 15, 2005 at 05:10 UTC
    $foo = each %{{$foo,0}}

      thanks for this. As it now issues the warning (perl v5.36.0):

      each on anonymous hash will always start from the beginning

      I propose this variation: ($foo) = keys %{{$foo,0}}

      Also, here is a test script using Test::Taint to check taintness:

      #!perl -T use strict; use warnings; use Test::More; use Test::Taint; my $foo = "ababab"; taint($foo); tainted_ok($foo, "foo is tainted"); ($foo) = keys %{{$foo,0}}; untainted_ok($foo, "foo is now untainted"); done_testing;

      bw, bliako

Re: What's your favourite method of untainting?
by SirBones (Friar) on Dec 15, 2005 at 13:15 UTC

    Taint thinner.

    "This bounty hunter is my kind of scum: Fearless and inventive." --J.T. Hutt
Those options all scare me...
by jonadab (Parson) on Dec 16, 2005 at 14:36 UTC
    I thought the whole point of running in taint mode in the first place was to remind yourself to sanity-check all the user input and ensure it doesn't have any bizarroid stuff in it that you didn't expect, and that the recommended best practice was to combine untainting with validating, as in
    ($num) = $num =~ /(\d+)/; ($str) = $str =~ /([A-Za-z0-9_-]+)/;
    i.e., everything not specifically allowed is verboten.
Re: What's your favourite method of untainting?
by Happy-the-monk (Canon) on Dec 14, 2005 at 12:25 UTC

    A blessed horn of a unicorn untaints everything

    There's no general way to untaint my vars, as they aren't supposed to contain general values. To make sense, each plausibility check needs to be done individually as to what needs to be checked for, thereby untainting the variable. Simplifying that much doesn't make sense in real life.

    Don't blame me for not getting the joke this time =)
    I got it, will use the unicorn's horn...

    Cheers, Sören

Re: What's your favourite method of untainting?
by hardburn (Abbot) on Dec 16, 2005 at 00:29 UTC

    No, no, no! Only my method gives perfect security:

    undef $val;

    Let me see you h4x0rs get past that!

    "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

Re: What's your favourite method of untainting?
by japhy (Canon) on Dec 16, 2005 at 16:26 UTC
    WTF is up with the fourth option? It's got a syntax error, and I can't see how it could possibly work.

    Jeff japhy Pinyan, P.L., P.M., P.O.D, X.S.: Perl, regex, and perl hacker
    How can we ever be the sold short or the cheated, we who for every service have long ago been overpaid? ~~ Meister Eckhart

      Whoops - that's a typo. It should be:

      ($foo) = ($val =~ /^(?!.).$/);

      and the essence of it is, that it never accepts any incoming data (albeit in a roundabout way).

Re: What's your favourite method of untainting?
by Anonymous Monk on Dec 14, 2005 at 12:40 UTC
    I like to just cog it
Re: What's your favourite method of untainting?
by kwaping (Priest) on Dec 17, 2005 at 03:20 UTC
    What, no -t?
Re: What's your favourite method of untainting?
by ambrus (Abbot) on Feb 18, 2008 at 16:35 UTC

    With the untaint function of the new Taint::Util module.

Re: What's your favourite method of untainting?
by Bod (Parson) on Nov 10, 2023 at 00:05 UTC

    None of the supplied options...

    my $foo; if ($bar =~ m!(acceptable_value|allowed_value)!) { $foo = $1; } else { die 'Invalid value of tainted $bar: ' . $bar; }
      Do you write code like that?
      my $foo = $bar =~ m!(acceptable_value|allowed_value)! ? $1 : die 'Invalid value of tainted $bar: ' . $bar;
      (though I'm not sure why you have $bar twice in the error message...)
        ... : die 'Invalid value of tainted $bar: ' . $bar;
        (though I'm not sure why you have $bar twice in the error message...)

        First $bar is within single quotes, so not interpolated; second $bar is interpolated. die message will look like this:

        Invalid value of tainted $bar: tainted_bar_value ...

        — Ken

        Do you write code like that?

        Yes...

        It is clear exactly what it does and it's easy to maintain even by a non-Perl expert (perhaps that should be a Perl non-expert!)

Re: What's your favourite method of untainting?
by gu (Beadle) on Dec 19, 2005 at 08:32 UTC
    What ? You all wise monks don't even have a USB blessed horn of a unicorn ?

    Gu
Re: What's your favourite method of untainting?
by TedPride (Priest) on Dec 16, 2005 at 16:26 UTC
    I don't untaint with Perl, because I only use it for admin scripts and personal use. My vote goes to blessed horn of a unicorn.

      If you are not using taint mode in your admin scripts then you, my friend, are just asking for fat-fingered trouble.


      🦛

        Things may have changed in the intervening years!

View List Of Past Polls