in reply to Re^2: Runtime Taint Enable
in thread Runtime Taint Enable
Hmm, interesting: I confess I don't use tainting in my CGI scripts despite the common recommendations, and this is part of the reason why - the data sources I want to choose not to trust are a small fraction of the whole, and the maintenance cost of detainting everything seems too high to me.
With the caveat that perl is not written with the intention of supporting this, I found the following simple test gave me the results I expected:
#!/usr/bin/perl -w use strict; use Scalar::Util qw/ tainted /; use Inline C => 'void starttaint() { PL_tainting = 1; }'; my $line = <>; print "line tainted: ", tainted($line), "\n"; print "\$0 tainted: ", tainted($0), "\n"; starttaint(); $line = <>; print "line tainted: ", tainted($line), "\n"; print "\$0 tainted: ", tainted($0), "\n";
It is trickier if you want to taint a data structure after having turned on tainting late: the normal way to taint a variable is to wave another already-tainted variable at it, but in this case you might not have one. The simplest way to achieve that is to add another Inline function to create one:
SV* taintvar() { PL_tainted = 1; return newSVpvn("", 0); } ... # perl code starttaint(); my $tv = taintvar(); sub taintme { wantarray ? map($_ .= $tv, @_) : $_[0] . $tv }
I repeat, perl was not written with the intent of supporting such usage, and the behaviour may easily change between perl versions, platforms and phases of the moon.
Hugo
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re^4: Runtime Taint Enable
by Rhandom (Curate) on Feb 24, 2005 at 15:41 UTC | |
|
Re^4: Runtime Taint Enable
by Anonymous Monk on Feb 24, 2005 at 15:38 UTC | |
by sgifford (Prior) on Feb 24, 2005 at 16:09 UTC |