Re: Why do I need -w in a cgi script

Replies are listed 'Best First'.
Re: Re: Why do I need -w in a cgi script by Melly (Chaplain) on Oct 10, 2003 at 12:50 UTC
Heh - actually, I'd be willing to change my 'e.g.' to an 'i.e.'. Whilst bugs are a part of life, allowing a script to accept 3 params, but only testing with 2 prior to disabling taint would be, well, pretty dumb. And face it, anyone dumb enough to do that will probably have screwed up cleaning the user input anyway... Tom Melly, tom@tomandlu.co.uk	[reply]
Re: Why do I need -w in a cgi script by Abigail-II (Bishop) on Oct 10, 2003 at 12:55 UTC
What's pretty dumb is to assume you can write perfect tests. Abigail	[reply]
Re: Re: Why do I need -w in a cgi script by Melly (Chaplain) on Oct 10, 2003 at 13:24 UTC
True, but then, as I said, we're still screwed since taint doesn't force you to get the cleaning right Look, it's a moot point (who the hell turns off taint checking?), but a valid one. Turning off taint checking on a production script shouldn't make any difference Consider - you develop a script, and when you test with taint on, the following generates a warning: foreach(@ARGV){ `$_`; } [download] So you correct it: foreach(@ARGV){ /(\w)/; $foo = `ls -l $1`; } [download] Is this going to be any less secure for running without taint once you've got it to run with taint? foreach(@ARGV){ /(.)/; $foo = `$1`; } [download] and is this going to be any less insecure for running with taint? Tom Melly, tom@tomandlu.co.uk	[reply] [d/l] [select]
Re: Why do I need -w in a cgi script by Abigail-II (Bishop) on Oct 10, 2003 at 13:48 UTC
Re: Re: Why do I need -w in a cgi script by Melly (Chaplain) on Oct 10, 2003 at 14:27 UTC
Some notes below your chosen depth have not been shown here