in reply to Is the force_untaint option in HTML::Template overkill?

If you're thinking of allowing unchecked user input in the belief that it will always be stuff that ought to be secure, I have a very nice bridge for sale...

All too often, "stuff" (AKA, "user input") is NOT "secure" for values of "secure" which eq "safe to allow."

And, by "spending a lot of time untainting" I'm guessing that you mean "writing code" as opposed to "spending" a lot of CPU time.

If so, it's a one time cost that will be repaid the first time untainting saves your bacon (AKA, "site, reputation, or fortune").

Replies are listed 'Best First'.
Re^2: Is the force_untaint option in HTML::Template overkill?
by SilasTheMonk (Chaplain) on Sep 14, 2008 at 09:09 UTC
    I am very happy with the answers, but I will offer a clarification just in case this produces a different answer - or at least a deeper answer. I am not casting doubt on the -T argument in perl. I absolutely see the point of that. I'll explain the example that is bugging me at the moment. In the form element I need to post back a $my_cgi->start_form() into the HTML::Template variable <TMPL_VAR NAME="form">. In HTML::Template I am using that module's force_untaint option and it is complaining about taint. Given that when the submit button is pressed, the arguments passed to the CGI script will be checked for taint, why do I need to check the HTML shown to the user for taint?
[reply]
[d/l]
[select]
      why do I need to check the HTML shown to the user for taint?
      Same reason, security. From the docs:
      force_untaint - if set to 1 the module will not allow you to set unescaped parameters with tainted values. If set to 2 you will have to untaint all parameters, including ones with the escape attribute. This option makes sure you untaint everything so you don't accidentally introduce e.g. cross-site-scripting (CSS) vulnerabilities. Requires taint mode. Defaults to 0.
[reply]
        The link on cross-site scripting was very enlightening. The general lesson I guess is that these evil outsiders are cleverer than I am. This is making me think that I should write a module to lighten the load.

        CGI::Paranoia

        • By default would create and inherit from a CGI::Safe object.
        • By default would create and stash a CGI::Untaint object.
        • Would respect the CGI interface but would ensure that all functions in the CGI interface returned untainted values. Examples: param(), self_url(), start_form()
        • The constructor would accept an optional CGI-like object to inherit from and an optional CGI::Untaint object to stash.
        • The constructor would also accept an optional hash map (param() => CGI::Untaint handler) and an optional parameter specifying the INCLUDE_PATH paramater of the CGI::Untaint object.
        • The constructor would require a default untaint handler that would be used in all other cases.
[reply]

In Section Seekers of Perl Wisdom