Test::Taint 0.01 is out

I just released Test::Taint 0.01 to CPAN. I stole most of it from Tom Phoenix' Taint module. I was going to base it on Dan Sugalski's Taint module, but I felt a pure Perl solution made more sense.

I was concerned about duplicating code, but the more I thought about it, it seems that Test::Taint really obviates both Taint distributions. It seems to me that the only time you would want to taint data would be in testing, which of course this covers. Thoughts?

Here's an example:

use Test::Taint tests=>4;
taint_checking_ok();        # We have to have taint checking on
my $id = "deadbeef";        # Dummy session ID
taint( $id );               # Simulate it coming in from the web
tainted_ok( $id );
$id = validate_id( $id );   # Your routine to check the $id
untainted_ok( $id );        # Did it come back clean?
ok( defined $id );
[download]

xoxo,
Andy

Comment on Test::Taint 0.01 is out Download Code

Replies are listed 'Best First'.
Re: Test::Taint 0.01 is out by Corion (Patriarch) on Feb 04, 2004 at 07:33 UTC
I can also think of other situations where local paranoia sets in and one might want to taint data, for example when reading in data from a file or from an email, and it (possibly) hasn't been scrubbed correctly. In such situations, placing a `taint()` call in the read routine can be interesting. How does your module manage the `Too late for -T at ...` error? Must the `make test` command be run special or must the Makefile be hacked to enable tainting?	[reply]
Re: Re: Test::Taint 0.01 is out by ysth (Canon) on Feb 04, 2004 at 08:59 UTC
Test::Harness looks for -T or -t on the shebang line of a test file, and starts perl with it.	[reply]
Re: Re: Re: Test::Taint 0.01 is out by petdance (Parson) on Feb 04, 2004 at 16:07 UTC
More precisely, Test::Harness::Straps does, so it's overridable. You can also use -T or -t parms to prove to turn on taint checking. xoxo, Andy	[reply]
Re: Test::Taint 0.01 is out by mr_mischief (Monsignor) on Feb 05, 2004 at 20:02 UTC
You want to taint your data any time you are using untrusted user-supplied data in a way which could be abused. That's what it's for. Just because you're done testing doesn't mean you can have a program accept input from a user over a network or on a widely shared system which makes an interpolated shell call with that data or opens a user-specified file which could contain a pipe to an arbitrary program. Christopher E. Stith	[reply]
Re: Re: Test::Taint 0.01 is out by petdance (Parson) on Feb 06, 2004 at 00:56 UTC
But all that data is already tainted. I'm not seeing anything in your list of examples that isn't already tainted by the time your program gets it. That's why I don't see taint() as being useful except in test cases where you have to make fake tainted data. xoxo, Andy	[reply]
Re: Re: Re: Test::Taint 0.01 is out by mr_mischief (Monsignor) on Feb 06, 2004 at 15:00 UTC
Ah, taint() as a function! Sorry, I must've misread. I thought the topic was the taint pragma. Yes, I'd have to agree it'd kinda silly to taint data manually outside of testing. Christopher E. Stith	[reply]