Re: Re: [5.8.0 Note] use Taint or die

It is, however, significantly better then nothing, esp. if used properly. Specificly, you should "use Taint" before even looking at possibly tainted data, as far as you can get away with it. If it's the second line in your file (after the shabang), that's a very small window to mess things up. Additionaly, unless you advertise it (such as by using CGI::Carp :fatalsToBrowser), they won't know you're using the Taint module, and thus not design their crack to account for it. Essensialy, the only attack left is to try to mess up PERL5LIB (or possibly PATH with a tainted perl binary) before perl is invoked. It's not a bullet-proof-vest, just bullet-resistant. Still better then nothing. (The /best/ thing to do would be to have die "INVOKED WITHOUT TAINT!" unless ${^TAINT} directly as the second line of your script.

PS -- does anybody know what ${^TAINT} is set to in "baby taint mode" (IE -t, warn on taint violation mode). I'm running 5.6.1, which doesn't support either. It might be possible to fake out ${^TAINT} checking with -t.

Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).

Comment on Re: Re: [5.8.0 Note] use Taint or die Download Code

Replies are listed 'Best First'.
Re^3: [5.8.0 Note] use Taint or die by particle (Vicar) on Nov 30, 2002 at 02:06 UTC
`> perl -t -e"die ${^TAINT}" 1 at -e line 1. > perl -T -e"die ${^TAINT}" 1 at -e line 1. > perl -e"die ${^TAINT}" 0 at -e line 1. >` [download] ~Particle accelerates	[reply] [d/l] [select]
Re: Re^3: [5.8.0 Note] use Taint or die by theorbtwo (Prior) on Nov 30, 2002 at 02:29 UTC
I just got a copy of 5.8.0 installed, and posted to perl5-porters (perl.perl5.porters, actualy, via the NNTP gateway at nntp.perl.org, which is quite nice), suggesting they change the defintion of ${^TAINT} to differentiate between the two kinds of taint. Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).	[reply]
Re: [5.8.0 Note] use Taint or die by Abigail-II (Bishop) on Nov 30, 2002 at 15:47 UTC
It's giving you a false sense of security. You shouldn't use `use Taint;` as your first line after the shebang, you should use `-T` as your first option on the shebang line. Abigail	[reply] [d/l] [select]