in reply to Re^3: How to disable taint checking by Perl?
in thread How to disable taint checking by Perl?

This is misinformed. Taint mode only gets enabled when running a script under differing real and effective user or group ids. Otherwise taint mode needs to be explicitly enabled in the script using the -T command line/hashbang. See perlsec.

Enforcing taint would mean a lot more programming effort in each script since even system() or open() won't work easily without explicit untainting.

Replies are listed 'Best First'.
Re^5: How to disable taint checking by Perl?
by Polyglot (Chaplain) on Oct 25, 2023 at 13:40 UTC
    Corion,

    It has been my understanding that the taint mode was not explicitly turned on as well--until I encountered issues not long back with a more recent version of Perl, leading to my present uncertainty. Can you verify that the current Perl version does not automatically use taint, without it having been explicitly invoked in the script, and are you aware of any online documentation for this?

    Blessings,

    ~Polyglot~

[reply]

      I don't know why the absence of an idea would be explicitly documented somewhere in the Perl documentation. But you can look through the past perldelta files, which would certainly list that change.

      A quick test that Perl does not enable taint mode by default:

      corion$ perl -MScalar::Util=tainted -wE 'my $fn = shift; say tainted($
+fn)' foo
0
corion$ perl -T -MScalar::Util=tainted -wE 'my $fn = shift; say tainte
+d($fn)' foo
1

      [download]
[reply]
[d/l]
        What version of Perl is that, Corion?

        The link you shared earlier stated:

        By default, Perl automatically enables a set of special security checks, called taint mode, when it detects its program running with differing real and effective user or group IDs.

        But, lest one think that this were the only criterion upon which taint would be invoked, look a little further down in that documentation and we see...

        Support for taint checks adds an overhead to all Perl programs, whether or not you're using the taint features. Perl 5.18 introduced C preprocessor symbols that can be used to disable the taint features.
        ...and this is followed by some itemization of things that are not checked by default for taintedness, implying everything else is.

        To my logical mind, those two statements don't quite add up. Why does taint need to have special ways of being disabled if it were not first engaged? If taint checks can be done on an explicit, variable basis, why the need to have special tools to disengage it?

        Thus, I find the documentation to be ambiguous. Perhaps someone could help to rewrite that portion of the documentation to make clear exactly how much taint checking is made mandatory, and by which versions of Perl. A table would be nice. I like tables.

        Blessings,

        ~Polyglot~

[reply]
      The explanation in the first paragraph is explicitly defined in the hyperlink provided. Previously.

[reply]

In Section Seekers of Perl Wisdom