js1 has asked for the wisdom of the Perl Monks concerning the following question:

Wise, wise monks!

I hope I don't sound too naieve asking this question, but if I use /bin/perl -T, do I still need to check user input for things like lead/trailing spaces, non-alphanumeric characters , hacker code etc. or is that filtered by the taint module?

js1.

Replies are listed 'Best First'.
Re: Is taint enough?
by Corion (Patriarch) on Feb 23, 2004 at 12:13 UTC

    Taint mode is nothing more than a gentle reminder to check your data as you receive it. You can easily make taint mode useless by untainting your data in a very liberal manner:

    my $bad;
if ($field{username} =~ /^(.*)$/) {
  $bad = $1;
};

    [download]

    In the above example, $bad is untainted, but still might contain unwanted data, like trailing spaces or the like.

    Taint mode never changes your data, it is there to change how you look at your data. If you look at your incoming data in a cavalier manner, you won't benefit from taint mode.

    There is no magic wand for security

[reply]
[d/l]
Re: Is taint enough?
by Abigail-II (Bishop) on Feb 23, 2004 at 12:31 UTC
    I hope I don't sound too naieve asking this question, but if I use /bin/perl -T, do I still need to check user input for things like lead/trailing spaces, non-alphanumeric characters , hacker code etc. or is that filtered by the taint module?
    It's important to realize that -T doesn't filter anything. It doesn't modify data. What -T does is flag externally acquired data (for instance, input read, environment variables, etc), flag all derived data (copying flagged data, substring such data, etc), and raise a fatal error if you pass flagged data to system calls. Such flagged data is called 'tainted'.

    You still need to 'untaint' the data yourself.

    Abigail

[reply]
Re: Is taint enough?
by rinceWind (Monsignor) on Feb 23, 2004 at 13:42 UTC
    You'd do as well to read Ovid's CGI course, which covers this subject in depth.

    --
    I'm Not Just Another Perl Hacker

[reply]
      Or better yet, look at the camel book (or man perlsec).

      I used to be a funny character, now I'm just 4 bits.
[reply]
Re: Is taint enough?
by jcpunk (Friar) on Feb 23, 2004 at 17:53 UTC
    Taint mode is definatly a curious thing, if you are looking for good information the tutoral recomended above was my way into to it. also I have asked several dozen questions regarding taint mode here, and almost every response I recieved was worth its weight in gold, so you may want to look at what has been recomeded to me in the past for some quick and dirty breif information.

    jcpunk
    all code is tested, and doesn't work so there :p (varient on common PM sig for my own ammusment)
[reply]

Back to Seekers of Perl Wisdom