|
Re: Re: Why do I need -w in a cgi script
by Juerd (Abbot) on Oct 09, 2003 at 16:19 UTC
|
The real question is whether it's reasonable to turn off Taint checking for production use, or whether it should always be left on, and I think this depends on your specific circumstances. I leave it on, personally.
Taint checking is a security tool, not a development tool. Unless security is unimportant in production, do not remove it.
Juerd
# { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }
| [reply] |
|
|
Taint checking is a security tool, not a development tool. Unless security is unimportant in production, do not remove it.
Oh? I know it's a run-time mechanism, but I was under
the impression that if you were doing anything unsafe
with tainted data, a reasonable amount of testing would
flush that out, and you'd fix it, and subsequently you
would not be doing unsafe things with tainted data,
provided the script and the taintedness of its data
don't change and that you tested all the code pathways
in testing. I've been leaving it turned on, because
not forgetting to turn it back on if I make changes is
more important to me than performance, but I'd be
interested in an explanation of how my thinking in this
area is mistaken.
$;=sub{$/};@;=map{my($a,$b)=($_,$;);$;=sub{$a.$b->()}}
split//,".rekcah lreP rehtona tsuJ";$\=$ ;->();print$/
| [reply]
[d/l] |
|
|
I was under the impression that if you were doing anything unsafe with tainted data, a reasonable amount of testing would flush that out
Sure. But testing is done by people. People make mistakes. Computer is here to help us. It's not perfect, but once you decide you like tainting, why remove it? Perhaps the computer will find more mistakes later.
Please note that I do not use -T unless when automatically enabled.
Juerd
# { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }
| [reply] |
Re: Why do I need -w in a cgi script
by Abigail-II (Bishop) on Oct 09, 2003 at 16:20 UTC
|
Whether to leave on taint checking or not in production code
isn't a question. Removing it in production isn't an option.
It's like saying you keep safety belts on while preparing your
car, but you remove them from your car when you're about to
drive cross-country.
Abigail | [reply] |
|
|
I tentatively disagree
Once you have verified that your script runs with taint-checking, then taint-checking serves no further purpose
To correct your analogy, taint-checking is the irritating voice that tells you when your seat-belt is undone - once you fasten your seat-belt, this voice should not utter another word, and therefore what would be the difference if you turned it off entirely?
I would agree that it would be possible to write a script that would be vulnerable if taint-checking was disabled, but that would imply a faulty script and/or testing process (e.g. you never bothered to test the script using all available params)
Once more with feeling - taint-checking doesn't make your data 'safe' - it just prevents your script from processing unsafe data. The mechanisms you place in your script to make data 'safe' will still be present irrespective of whether taint-checking is on or off
Tom Melly, tom@tomandlu.co.uk
| [reply] |
|
|
| [reply] |
|
|
|
|
|