in reply to Re^5: How to disable taint checking by Perl?
in thread How to disable taint checking by Perl?

I don't know why the absence of an idea would be explicitly documented somewhere in the Perl documentation. But you can look through the past perldelta files, which would certainly list that change.

A quick test that Perl does not enable taint mode by default:

corion$ perl -MScalar::Util=tainted -wE 'my $fn = shift; say tainted($
+fn)' foo
0
corion$ perl -T -MScalar::Util=tainted -wE 'my $fn = shift; say tainte
+d($fn)' foo
1

[download]

Replies are listed 'Best First'.
Re^7: How to disable taint checking by Perl?
by Polyglot (Chaplain) on Oct 25, 2023 at 14:56 UTC
    What version of Perl is that, Corion?

    The link you shared earlier stated:

    By default, Perl automatically enables a set of special security checks, called taint mode, when it detects its program running with differing real and effective user or group IDs.

    But, lest one think that this were the only criterion upon which taint would be invoked, look a little further down in that documentation and we see...

    Support for taint checks adds an overhead to all Perl programs, whether or not you're using the taint features. Perl 5.18 introduced C preprocessor symbols that can be used to disable the taint features.
    ...and this is followed by some itemization of things that are not checked by default for taintedness, implying everything else is.

    To my logical mind, those two statements don't quite add up. Why does taint need to have special ways of being disabled if it were not first engaged? If taint checks can be done on an explicit, variable basis, why the need to have special tools to disengage it?

    Thus, I find the documentation to be ambiguous. Perhaps someone could help to rewrite that portion of the documentation to make clear exactly how much taint checking is made mandatory, and by which versions of Perl. A table would be nice. I like tables.

    Blessings,

    ~Polyglot~

[reply]
      A table would be nice. I like tables.

      Here is a table showing when taint mode is enabled. HTH.

      Perl versionUID != EUIDGID != EGID-T argumentAnything else
      5.10.0YesYesYesNo
      5.12.0YesYesYesNo
      5.14.0YesYesYesNo
      5.16.0YesYesYesNo
      5.18.0YesYesYesNo
      5.20.0YesYesYesNo
      5.22.0YesYesYesNo
      5.24.0YesYesYesNo
      5.26.0YesYesYesNo
      5.28.0YesYesYesNo
      5.30.0YesYesYesNo
      5.32.0YesYesYesNo
      5.34.0YesYesYesNo
      5.36.0YesYesYesNo
      5.38.0YesYesYesNo

      🦛

[reply]
        That's a good start, Hippo, thank you! Now, how much would it take to add the sub-components alluded to in the documentation?

        For example:

        On versions of Perl before 5.26, activating taint mode will also remove the current directory (".") from the default value of @INC. Since version 5.26, the current directory isn't included in @INC by default.

        I'd like to know what the differences in taint implementation are from one Perl version to another. I never had trouble with the @INC nor with the use of backticks to execute an external command until I unsuspectingly used a version of Perl advanced beyond this line. From what I see in the documentation, this is not the only aspect which has seen changes in taint implementation. For example:

        To test whether a variable contains tainted data, and whose use would thus trigger an "Insecure dependency" message, you can use the tainted() function of the Scalar::Util module, available in your nearby CPAN mirror, and included in Perl starting from the release 5.8.0. Or you may be able to use the following is_tainted() function.

        I note that your table did not go back as far as to 5.8.0--but things were already starting to move at that point, if not before.

        To be clear, my understanding is that the taint mode is no longer so much of an all-or-nothing feature: it comes in multiple shades these days. It may have been true in the past that it was either enabled or disabled...this seems to be no longer the case, and it is precisely this condition for which a table would come in handy, as there is much more information than merely "Yes" or "No" which is relevant.

        Blessings,

        ~Polyglot~

[reply]
      Changes in the C preprocessor symbols affects how Perl is compiled. If you don't compile Perl yourself using these special symbols, your perl executable supports taint checks.

      The items in the documentation are not related to the paragraph about the C preprocessor symbols. These things are never tainted/checked for taintedness.

      map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]
[reply]
[d/l]

      I see that when the paragraph about preprocessor symbols was added, it was placed between the phrase with the following exceptions: and the list of exceptions. I have submitted a patch to fix that (here), but in the meantime the document may make a little more sense if you temporarily cover up the paragraph starting "Support for taint checks adds an overhead to all Perl programs".

[reply]
        HV, I may be rather dull, but I didn't see any mention of compiling Perl in that entire section relative to the preprocessor symbols. Perhaps those in the know would automatically understand it: I'm not at their level. I didn't understand it to be saying anything about compilation.

        The only remarks I found about compiling in that document are made in the two consecutive sections labeled "Shebang Race Condition" and "Protecting Your Programs" followed by one additional section titled "Algorithmic Complexity Attacks"--none of which is related to taint.

        Perhaps you could suggest clarifications about the compilation aspect as well.

        Blessings,

        ~Polyglot~

[reply]

In Section Seekers of Perl Wisdom