Re: [Catalyst] Catalyst and Taint?
On Tue, Jul 22, 2008 at 8:30 PM, Matt S Trout [EMAIL PROTECTED] wrote: On Mon, Jul 21, 2008 at 10:08:11PM -0700, Chris Weyl wrote: Hey all -- A google of catalyst taint turns up this message: http://lists.scsys.co.uk/pipermail/catalyst/2005-December/004007.html It doesn't look like there has been a release of Module::Pluggable::Fast since then. Does anyone know where this patch lurks? :-) (Assuming, of course, that this is still the right path to work down.) We don't even use Module::Pluggable::Fast anymore. Catalyst went back to a refactored plain Module::Pluggable instead for 5.70+. Hopefully the patch claco sent back then got applied somewhere in the meantime. Before caring about a three year old message, first check the module it refers to is even involved anymore :) I'll keep that in mind :) According to CPAN, Module::Pluggable::Fast hasn't been updated since 16 Dec 2005, about 2 weeks before that email was sent If it was applied, I rather suspect it wasn't there. (and since you're the only person since to mention taint mode, I don't think most people care about it - I certainly don't see it being very useful for Catalyst code, maybe you could enlighten us as to why you do?) Taint mode would seem to be a good way to help protect against accidental exposures, especially in internet-facing apps. I was curious to see what would happen if I tried running an instance with -T... Admittedly, I'm more of a newbie Catalyst user than internals person by any measure, but is there something about Catalyst that renders taint unnecessary, or moot? ...or obsolete? ...or more of a pain than it's worth? -Chris -- Chris Weyl Ex astris, scientia ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and Taint?
On Tue, Jul 22, 2008 at 11:45:09PM -0700, Chris Weyl wrote: On Tue, Jul 22, 2008 at 8:30 PM, Matt S Trout [EMAIL PROTECTED] wrote: On Mon, Jul 21, 2008 at 10:08:11PM -0700, Chris Weyl wrote: Hey all -- A google of catalyst taint turns up this message: http://lists.scsys.co.uk/pipermail/catalyst/2005-December/004007.html It doesn't look like there has been a release of Module::Pluggable::Fast since then. Does anyone know where this patch lurks? :-) (Assuming, of course, that this is still the right path to work down.) We don't even use Module::Pluggable::Fast anymore. Catalyst went back to a refactored plain Module::Pluggable instead for 5.70+. Hopefully the patch claco sent back then got applied somewhere in the meantime. Before caring about a three year old message, first check the module it refers to is even involved anymore :) I'll keep that in mind :) According to CPAN, Module::Pluggable::Fast hasn't been updated since 16 Dec 2005, about 2 weeks before that email was sent If it was applied, I rather suspect it wasn't there. Yeah, thought so. And it's fucking horrible code, so when sri abandoned it none of us wanted to maintain it. So I talked muttley into refactoring Module::Pluggable for us instead :) (and since you're the only person since to mention taint mode, I don't think most people care about it - I certainly don't see it being very useful for Catalyst code, maybe you could enlighten us as to why you do?) Taint mode would seem to be a good way to help protect against accidental exposures, especially in internet-facing apps. I was curious to see what would happen if I tried running an instance with -T... Admittedly, I'm more of a newbie Catalyst user than internals person by any measure, but is there something about Catalyst that renders taint unnecessary, or moot? ...or obsolete? ...or more of a pain than it's worth? Taint mode just separates stuff that came from outside the app and stuff from inside the app. The thing is, by the time you get to a $c-req object parsing has happened so it probably won't be tainted anyway. But you -do- still need to validate it. So the only thing I can see taint mode providing is a false sense of security. But probably is not the same as definitely and if that turns out to be wrong my entire argument is bollocks. Bear this in mind :) -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Directorhttp://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and Taint?
On Mon, Jul 21, 2008 at 10:08:11PM -0700, Chris Weyl wrote: Hey all -- A google of catalyst taint turns up this message: http://lists.scsys.co.uk/pipermail/catalyst/2005-December/004007.html It doesn't look like there has been a release of Module::Pluggable::Fast since then. Does anyone know where this patch lurks? :-) (Assuming, of course, that this is still the right path to work down.) We don't even use Module::Pluggable::Fast anymore. Catalyst went back to a refactored plain Module::Pluggable instead for 5.70+. Hopefully the patch claco sent back then got applied somewhere in the meantime. Before caring about a three year old message, first check the module it refers to is even involved anymore :) (and since you're the only person since to mention taint mode, I don't think most people care about it - I certainly don't see it being very useful for Catalyst code, maybe you could enlighten us as to why you do?) -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Directorhttp://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/