On Tue, 6 Jun 2000, Geoffrey Young wrote:
> > In general, when accepting arbitrary user input you want to make sure
> > there are only a very few access points to the code, then
> > make sure you
> > have very tight validation of the data in those access points. Taint
> > mode comes to mind as one tool in the belt.
>
> right, except that you can't code a module in taint mode, you have to rely
> on the user setting PerlTaint On (right?)
Yeah, you cannot set it from within the module. But, Is there a way we
could read the value of the internal perltaint variable (well constant)?
So you could write:
die "Must enable the TaintMode!"
unless CORE::TaintIsOn();
I guess we could hack the XS/C code and get a interface for it?
I guess that p5p folks might not realize how important to be able to
enforce this mode for the web scripts, for clueless users. May be one of
the respected web security experts will give a nudge at the p5p list to
let us at least a readonly special perl variable like $^R to check for
taint mode?
I know some people believe that they can get away without this mode,
that's why it'd be the best if it'd be a variable and not a static value,
so those who don't want it will be able to turn it off. But in all modules
that deal with system I'd put the taintmode on.
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:[EMAIL PROTECTED] http://perl.org http://stason.org/TULARC
http://singlesheaven.com http://perlmonth.com http://sourcegarden.org
