Re^2: Please explain this tainting behaviour

Thanks for the replies everyone, makes sense. The bracket problem I meant to mention - when I previewed the post the brackets weren't coming out, so i put parentheses in.

To get some more clarification - do I need to be running -T for this to work? I was hoping I could just pass all my parameters through it and get a "this data is OK" or "not OK".

Comment on Re^2: Please explain this tainting behaviour

Replies are listed 'Best First'.
Re^3: Please explain this tainting behaviour by Aristotle (Chancellor) on Aug 05, 2004 at 21:08 UTC
Yes, you'll have to use `-T` to enable taint checking. It cannot do your work for you, though. It is merely prevents you from accidentally using unfiltered user input to perform dangerous operations. The onus for defining what data is well-formed and safe to accept and what's not, though, is still on you. The only way to get untainted data from a tainted variable is to perform a pattern match, and capture some or all of the data. The captured data is then untainted. F.ex, if you have an input value that must only consist of digits, you could untaint it like so: `unless( $some_user_input =~ /^(\d+)$/ ) { die "You did not pass only digits for some_input\n"; # or you produce an error page here or send the user back if it's +a CGI, f.ex } my $untainted_user_input = $1;` [download] Now you can perform dangerous operations using `$untainted_user_input`. Of course, nothing stops you from using `/(.)/s` as the test pattern, therefor accepting any input at all and thus defeating the point of taint checks. Ovid's excellent CGI course has an enlightening chapter on how to untaint data sensibly, treating taint checking as an ally that will help you avoid getting exploited. There are modules on CPAN that will help you with common untainting tasks — look for the various Untaint modules. Makeshifts last the longest.*	[reply] [d/l]

Replies are listed 'Best First'.

Re^3: Please explain this tainting behaviour
by Aristotle (Chancellor) on Aug 05, 2004 at 21:08 UTC

Yes, you'll have to use -T to enable taint checking. It cannot do your work for you, though. It is merely prevents you from accidentally using unfiltered user input to perform dangerous operations. The onus for defining what data is well-formed and safe to accept and what's not, though, is still on you.

The only way to get untainted data from a tainted variable is to perform a pattern match, and capture some or all of the data. The captured data is then untainted. F.ex, if you have an input value that must only consist of digits, you could untaint it like so:

unless( $some_user_input =~ /^(\d+)$/ ) {
    die "You did not pass only digits for some_input\n";
    # or you produce an error page here or send the user back if it's 
+a CGI, f.ex
}

my $untainted_user_input = $1;
[download]

Now you can perform dangerous operations using $untainted_user_input.

Of course, nothing stops you from using /(.*)/s as the test pattern, therefor accepting any input at all and thus defeating the point of taint checks.

Ovid's excellent CGI course has an enlightening chapter on how to untaint data sensibly, treating taint checking as an ally that will help you avoid getting exploited.

There are modules on CPAN that will help you with common untainting tasks — look for the various Untaint modules.

Makeshifts last the longest.

[reply]
[d/l]