This is meaningful in a web application, where you want to protect your servers from web monkeys trying to poke and prod their way through your application to the OS.

That's a waste of cycles if such checks aren't required.

"Yeah, some luser stole the CC database, ordered $10_000_000_000 of goods, sold the customer list to spammers and deleted all the real orders, but hey! the application runs 0.002% faster!"

Sorry, I don't agree: if you're dealing with user input in a situation where they could (intentionally or unintentionally*) damage the system and the language offers you a helping hand, why not use it?

I use -T for pretty much anything that's going to be run by anyone except me (I assume I'll supply only valid input -- I'm right _most_ of the time): Like use strict; it helps me write good code, in this case ensuring I validate user input.

* "What due you mean I can't use spaces, (), &, ;, *, ? in filenames?"

Sorry, I don't agree: if you're dealing with user input in a situation where they could (intentionally or unintentionally*) damage the system and the language offers you a helping hand, why not use it?

Yes, but that's a far cry from "having it on all the time". Most users cannot (on a proper system) damage the system anyway. It doesn't make sense to have taint checking on oh, say "ls", or "vi" (unless you were to make a restricted shell inside "vi").

And it's not that the language offers you a helping hand free of costs. It's like equiping electronic locks on all the doors in your house - including the doors to any closets, and the lid on your toilet. Locks that can only be unlocked (for one time usage, closing the door auto-locks) by typing in 16 character hex code. Sure, it helps reduce theft from your home. But it isn't very convenient to go from one room to another anymore.

So, the taint really comes into play whenever there is a user interface of some sort. Whether it is web based, curses based, Tk based, etc.

Taint mode would be wasted on non interacting scripts (installation, etc0).. do I have this correct? trying to make sure I understand the reasoning :)

Jason L. Froebe

I don't see much point of using -T on stuff like interactive clients, Tk or not. After all, if the user is going to try to mess with the client, all he can do is screw himself. I make it a point to use it for the server end though, whether it's a CGI script, daemon, Win32 service, or whatnot.

That's not to say that a client program shouldn't be doing any kind of error checking. It should, to some extent. But the server shouldn't depend on that at all, and it should thoroughly check all input in minute detail (which is where taint mode helps out a bit, though it's not 100% foolproof).

Basically, it comes down to this: any code running on a machine which you don't control is code that you can't depend on in terms of security.

After all, if the user is going to try to mess with the client, all he can do is screw himself.

Even it's result of bad input, (perhaps especially if ...) it will be in the user's mind "the program's fault" -- "the program trashed my disk/registry/irreplacable data file/..." and you'll be the one who gets bad-mouthed.

If *, (), rm -rf /, ;"@{unlink <*>}" aren't valid in filenames, then don't let them be there. And having Perl cover your a** takes only one extra char!