--- [EMAIL PROTECTED] wrote: | SUMMARY | By default, regexes shouldn't untaint. Also, provide a | toolkit for Safer Untainting. | ... | Ergo, I propose that regexes only untaint stuff in parens | if you specifically tell them to do so. A capital-T | switch would work nicely
__CODE__ #!/usr/bin/perl –wT use 5.005; use strict; use re ‘taint’; __MESSAGE__ It appears you wish to have ``use re`taint’ ” as the default in Perl 6, rather than the current default behaviour w.r.t untainting with regexs. Taint mode scripts should be well designed and written, however it cannot be uncommon that a programmer is charged with the task of adding security to an existing script. In this case, the likelyhood of /(.*)/ or equivalent being missed is high. For the author of secure-from-ground-up scripts, this change would be less of an issue. The toolkit is an interesting idea, however it would seemly reimplement many of the regex rules that would be part of other modules. An interesting idea (and I would hope someone already has though of it) is to use regex rules to specify that whatever it matches is automatically untainted. [disclaimer: my Perl 6 regex skills are lacking, please don’t flame me regarding misuse/mistakes ] For example: my $untainted = _/^(rule)$/; By using rules provided by the modules I am using, it allows someone else to consider whether their approach is secure enough to set this option. Any modules that don’t cater for taint mode users won’t set this untaint safe option. Currently, the danger is that a module author uses *unsafe* regexs – but has no way to inform the uses except by documentation. If, within the code they use /(.*)/, then this would silently untaint data. The vigilant should check before passing to outside functions, however sometimes it is appropriate not to – e.g. parsing. Currently, there is many places ``use re `taint’” should have been used – but the author didn’t through laziness (or it wasn’t appropriate for him to care). SUMMARY: I want rules to be *able to* untaint their captured String. Jonathan Paton ===== s''! v+v+v+v+ J r e P h+h+h+h+ !s`\x21`~`g,s`^ . | ~.*``mg,$v=q. P ! v-v-v-v- u l r e r h-h-h- !12.,@.=m`.`g;do{$.=$2.$1,$.=~s`h E ! v+v+v+ s k e h+h+ !`2`x,$.=~s`v`31`,print$.[$v+=$.] R ! v-v- t H a c h h- !}while/([hv])([+-])/g;print"\xA" L ! A n o t !';$..=$1while/([^!]*)$/mg;eval$. __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com