SUMMARY The 'untaintby' property restricts which modules may untaint the data or data derived from that data.
DETAILS I was recently using a module I downloaded from CPAN and looking through the code I discovered that it untainted certain data that it had no business untainting (IMHO). The untainting was an unintended byproduct of some otherwise useful work. (See my earlier concern about untainting at http://makeashorterlink.com/?Y28261A12) Now, tainting is a funny thing: it's an admission that maybe your program doesn't work quite the way you want it to. I submit that if it's healthy to doubt the perfection of your own code (even though you run it), it's also healthy to doubt other people's code (even though you use it). I would feel a little more comfortable if I could say "I'll hold back the untainting to just my own code". Here's my little brainstorm. Objects can be marked with a property called 'untaintby'. The value of the property is a list of modules that are allowed to untaint the data. Example: my $command is untaintby('MyApp::Commands', 'Util::IdCheck') = CGI.param('command'); Any module that isn't authorized by that list cannot untaint the data, and cannot derive untainted data from it. No error results from a class trying to do an unauthorized untaint: the data just isn't untainted. So, for example, if the data were copied into $privatecmd in Foo::Bar, that copied value would inherit the untaintby property. If a regex were run against $privatecmd... # bad untainting, bad! $mycmd =~ m|([^!-`])+|; $newcmd = $1; ... $newcmd would also inherit the untaintby property, and would still be tainted. Modules may further restrict the untaintby property (i.e, shorten the list) but they may not add to it. The module that initially sets the untaintby property is by default included in the list, so to restrict to just the current class you could say my $command is untaintby() = CGI.param('command'); (Hmm, I'm not sure about that, though. It isn't clear just reading it that the current module can untaint. What do you think?) -Miko -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
