in reply to Could we get a more systematic approach to security in perl?

Call me naive, but I never considered Perl's taint mode to be very important for programming secure web applications.

I use it for my CGI scripts, but so far I don't think it ever prevented any malicious actions.

That's probably because my scripts don't work much with the file system, but instead they access a database. (If they do access the file system, it's always with a white listing approach). With DBI's placeholders there's no malicious value an intruder might enter to compromise the database.

For output I use HTML::Template::Compiled with the default_escape => 'HTML' option, so even for "malicious" values (containing HTML meta characters) I don't any HTML injected.

So the "classical" security bugs don't really threaten my CGI scripts - it's more a possible forgotten authentication check or so (or maybe XSRF) that might threaten them - but for those taint mode doesn't really buy me anything at all.

Perl 6 - links to (nearly) everything that is Perl 6.

Replies are listed 'Best First'.
Re^2: Could we get a more systematic approach to security in perl?
by SilasTheMonk (Chaplain) on Mar 28, 2010 at 16:54 UTC

    I absolutely understand that taint mode does not capture everything but it does capture a lot, and as far as I know has no drawbacks save the fact that too many modules were not written with it in mind. I believe it to be a useful tool.

    Actually I my emphasis was not actually on taint, but can people take more interest in a systematic approach to security and learn form security practices in other languages as described in OWASP? One OWASP principle is "Defence in depth". As such why through away one possible line of defence?

[reply]
Re^2: Could we get a more systematic approach to security in perl?
by Jenda (Abbot) on Mar 29, 2010 at 11:36 UTC

    Which means you already do all the things tainting would try to force you to without the need to be bugged by it. Good for you but ... the fact that you decided to drive safely, slow down in villages and towns, etc. etc. etc. doesn't mean other people do not need to be forced to slow down. You would not notice there's a speed limit, because you already drive below without being told. Others need to be told.

    BTW, default_escape => 'HTML'? What if the value needs to end up in some JavaScript? Or a URL?

    Update: s/willages/villages/, thx marto.

    Jenda
    Enoch was right!
    Enjoy the last years of Rome.

[reply]
[d/l]
      BTW, default_escape => 'HTML'? What if the value needs to end up in some JavaScript? Or a URL?
      You would declare the escape type in the template: 
      <a href="/foobar/<TMPL_VAR myurl ESCAPE=URI">...</a>

      [download]

      You can also use ESCAPE=NONE inside the template if you consciously want to interpolate HTML. The point is just that if you don't think of escaping at all, there's a safe default which does not lead to XSS holes.

      Perl 6 - links to (nearly) everything that is Perl 6.
[reply]
[d/l]
[select]

In Section Meditations