in reply to Re^2: Is the force_untaint option in HTML::Template overkill?
in thread Is the force_untaint option in HTML::Template overkill?

why do I need to check the HTML shown to the user for taint?
Same reason, security. From the docs:
force_untaint - if set to 1 the module will not allow you to set unescaped parameters with tainted values. If set to 2 you will have to untaint all parameters, including ones with the escape attribute. This option makes sure you untaint everything so you don't accidentally introduce e.g. cross-site-scripting (CSS) vulnerabilities. Requires taint mode. Defaults to 0.
  • Comment on Re^3: Is the force_untaint option in HTML::Template overkill?

Replies are listed 'Best First'.
CGI::Paranoia - Re^4: Is the force_untaint option in HTML::Template overkill?
by SilasTheMonk (Chaplain) on Sep 14, 2008 at 12:06 UTC
    The link on cross-site scripting was very enlightening. The general lesson I guess is that these evil outsiders are cleverer than I am. This is making me think that I should write a module to lighten the load.

    CGI::Paranoia

    • By default would create and inherit from a CGI::Safe object.
    • By default would create and stash a CGI::Untaint object.
    • Would respect the CGI interface but would ensure that all functions in the CGI interface returned untainted values. Examples: param(), self_url(), start_form()
    • The constructor would accept an optional CGI-like object to inherit from and an optional CGI::Untaint object to stash.
    • The constructor would also accept an optional hash map (param() => CGI::Untaint handler) and an optional parameter specifying the INCLUDE_PATH paramater of the CGI::Untaint object.
    • The constructor would require a default untaint handler that would be used in all other cases.
[reply]
      Would respect the CGI interface but would ensure that all functions in the CGI interface returned untainted values.

      I believe you have a stray "un" in there... All functions in the CGI interface should return tainted values (at least when said values are derived from an untrusted source) because only the code which ultimately uses the data is able to determine whether the data is safe or not. There's no way for this (presumably hypothetical) CGI::Paranoia module to make that determination on its own. Even an application-specified untaint handler can't readily resolve this (unless it's specifiable on a call-by-call basis, at which point you may as well just make the untainting call normally anyhow), as data which is safe in one section of the application may not be safe in another.

[reply]

        My specification included (and requires) registering untaint handling callbacks with the CGI::Paranoia object on creation. This is the application's opportunity to say what is tainted and what not.

        Also in the case of functuons like self_url(), the application is not well placed to say what is tainted. The application is well placed to test each parameter for taint, but to test the result of self_url() for taint it has to parse an http address. The CGI module is better placed to do this albeit deferring to the application when it is reduced down to individual parameters.

        I clearly need to knock up a simple example, which I will endeavour to do before someone else posts.

        Update

        I have an example. First of all the template file "test.tmpl". 
        <html>
  <head><title>test.tmpl</title></head>
  <body>
    <TMPL_VAR NAME="form">
      <submit/>
    </form>
  </body>
</html>

        [download]
        Now the test script: test.pl. 
        #!/usr/bin/perl -wT
use HTML::Template;
use CGI;
my $q = CGI->new();
my $template = HTML::Template->new(filename => './test.tmpl',force_unt
+aint=>1);
$template->param(form=>$q->start_form());
print $template->output();

        [download]
        The output is as follows: 
        $> perl -T test.pl
<html>
  <head><title>test.tmpl</title></head>
  <body>
    <form method="post" action="http://localhost" enctype="multipart/f
+orm-data">


      <submit/>
    </form>
  </body>
</html>

$> perl -T test.pl blah=1
HTML::Template->output() : tainted value with 'force_untaint' option a
+t test.pl
line 7

        [download]
        I think the CGI module is better placed to produce an untainted start_form() value then the application.
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom