On Feb 6, 3:01 am, Ben Finney <[EMAIL PROTECTED]> wrote: > "Gabriel Genellina" <[EMAIL PROTECTED]> writes: > > And tainted() returns False by default????? > > Sorry but in general, this won't work :( > > I'm inclined to agree that the default should be to flag an object as > tainted unless known otherwise.
That's true. For example, my first attempt didn't prevent this: os.open(buffer('/etc/passwd'), os.O_RDONLY) Here's a stricter version: def tainted(param): """ Check if a parameter is tainted. If it's a sequence or dict, all values will be checked (but not the keys). """ if isinstance(param, unicode): return not isinstance(param, SafeString) elif isinstance(param, (bool, int, long, float, complex, file)): return False elif isinstance(param, (tuple, list)): for element in param: if tainted(element): return True elif isinstance(param, dict): return tainted(param.values()) else: return True -- http://mail.python.org/mailman/listinfo/python-list