On Mon, Aug 19, 2002 at 12:26:24AM +1000, Bradley Baetz wrote: > Would it be possible for DBI to have a TaintInput attribute, similar to > its current |Taint| one, but only checking incoming data, without tainting > data coming from the DB? > > Bugzilla currently has all its SQL calls done via in its own function > (SendSQL), which (among other things) tests if the passed in string is > tainted using the is_tainted function given in the perlsec pod. > > Using one function inside Bugzilla for all SQL calls has flexibility > problems (for example, it currently only uses > prepare/execute/fetchall_array internally, even when other functions would > be better). > > The problem with DBI's current taint attribute is that Bugzilla trusts the > database itself (since thats all which we are protecting, theres not much > point in not doing so), we just want to be careful that we don't pass > unquoted/unsanitised strings to the database. Tainting the output values > means that if we want to use the results from the db in another query, we > have problems, and manually detainting every second SQL call is painful.
I agree with the principle. Patches welcome. (Add TaintInput and TaintOutput attributes and make the Taint attribute set both and return true if either is set.) > The alternative is to subclass the DBI (Which I plan on doing anyway, for > other reasons). Is it guaranteed that if I override |prepare|, all the > calls to do/select*_*/etc will pass through |prepare| at some point? A few drivers override do() specially. All the select*_* methods use prepare(). Tim.
