in reply to Module: Override Function Calls

why not have a certain base function that sanitizes all of the arguments passed to the module, and then passes the newly sanitized arguments on to the function that was supposed to be called?
Because there is no universal "sanitizing" function. What's valid as a filename might not make sense for an email address, and vice versa. Every argument has to be considered individually, and therefore any wrapper would have to know what arguments are expected. By the time you've done all that, you might as well just subclass or edit the original subroutines, rather than wrap them.

That's why I hate these "untaint" modules: they generally are re-opening the hole that tainting is trying to close. Every value needs to be considered individually!

-- Randal L. Schwartz, Perl hacker

Replies are listed 'Best First'.
Re^2: Module: Override Function Calls
by agianni (Hermit) on Mar 14, 2007 at 16:26 UTC
    Right, you need to use something that will allow you to specifically validate all of your fields individually. If you want to actually do it right and make your security functionality more than a gesture, you need to use something like Data::FormValidator to specifically check each and every one of your arguments against a regex or lookup. I've seen way to much of this: 
    # untaint!
$cgi->param('field') ~= m/(.*)/;
$cgi->param('field', $1);

    [download]
[reply]
[d/l]

In Section Seekers of Perl Wisdom