Let me put it this way.
If your process is truly secure because it is jailed and it is behind an SSL apache password protected site, then you should be able to convince your administrators that allowing you to avoid taint checking is OK. That is a site administrator decision.
If the administrators will not allow you to turn it off, they probably have reasons. They know your setup better than I do, and probably better than you do as well. What reasons you ask? Well they may be aware of security issues which you are not. For instance the chroot jail may be breakable by standard cracking tools. Perhaps you are connecting to a database that needs to be protected. Now you trust your users. But perhaps they do not trust users of the site to use good passwords. Or they may be afraid that users are coming from compromised machines.
Depending what you are doing these concerns may be real and valid.
Here is what I know.
I am trying to help you. I really am. I am trying to help you with what I see as the most important problem that you have. IMHO that problem is that you do not seem to understand that your corporate security policy has a reason for existing. It is not your place to decide for your company that you don't need to follow policy. It is not my place to tell you how to open your company up to attacks that they know about and are trying to prevent.
Now your company may have a bunch of fascist morons dictating security. If so then that is an internal problem. Complain. But don't ask others to help you get into trouble.
In reply to Re (tilly) 9: CGI::param wrapper for untainting
by tilly
in thread CGI::param wrapper for untainting
by dcardamo
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |