I think that if a package deliberately tries to untaint data, and then
the data isn't untainted, there will be an error shortly.
Perhaps you could be more specific about what you mean by untainting
things which shouldn't be untainted? Did you mean globals?
Otherwise, I'd think that if a package author untainted data, you
should let him have it untainted. If the data wasn't untainted
CORRECTLY, that's a bug. But otherwise?
=Austin
--- [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
SUMMARY
The 'untaintby' property restricts which modules may untaint the data
or
data derived from that data.
DETAILS
I was recently using a module I downloaded from CPAN and looking
through
the code I discovered that it untainted certain data that it had no
business untainting (IMHO). The untainting was an unintended
byproduct of
some otherwise useful work. (See my earlier concern about untainting
at
http://makeashorterlink.com/?Y28261A12)
Now, tainting is a funny thing: it's an admission that maybe your
program
doesn't work quite the way you want it to. I submit that if it's
healthy to
doubt the perfection of your own code (even though you run it), it's
also
healthy to doubt other people's code (even though you use it). I
would feel
a little more comfortable if I could say I'll hold back the
untainting to
just my own code.
Here's my little brainstorm. Objects can be marked with a property
called
'untaintby'. The value of the property is a list of modules that are
allowed to untaint the data. Example:
my $command is untaintby('MyApp::Commands', 'Util::IdCheck')
= CGI.param('command');
Any module that isn't authorized by that list cannot untaint the
data, and
cannot derive untainted data from it. No error results from a class
trying
to do an unauthorized untaint: the data just isn't untainted.
So, for example, if the data were copied into $privatecmd in
Foo::Bar, that
copied value would inherit the untaintby property. If a regex were
run
against $privatecmd...
# bad untainting, bad!
$mycmd =~ m|([^!-`])+|;
$newcmd = $1;
... $newcmd would also inherit the untaintby property, and would
still be
tainted. Modules may further restrict the untaintby property (i.e,
shorten
the list) but they may not add to it.
The module that initially sets the untaintby property is by default
included in the list, so to restrict to just the current class you
could
say
my $command is untaintby() = CGI.param('command');
(Hmm, I'm not sure about that, though. It isn't clear just reading
it that
the current module can untaint. What do you think?)
-Miko
mail2web - Check your email from the web at
http://mail2web.com/ .
__
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos More
http://faith.yahoo.com