chromatic recently tweeted the question:
"Should Modern::Perl enable taint mode? (If so... hm, how do I do it?)"
...which surprised me, as I tend not to use taint mode.
"Yes, yes, taint mode is crucial. There's rarely a reason NOT to use it."
...which surprised me even more.
I tried using taint mode throughout my application at one stage, but found myself naively untainting paths with
($path) = ($path=~/(.+)/)
which kinda defeats the purpose. Almost always, I found that the stuff I was untainting would have required root access to mess with anyway, and so I gave up on taint mode. The places where exploits were possible, I added relevant code to deal with those particular situations, and all data coming from the user gets validated.
Of course, I may have missed some situations. Maybe I'm being naive. But is enabling taint mode by default the answer to that? Doesn't it mean that, for most people, their code will just fill up with:
$path = untaint($path)
What do you think? To taint or not to taint?
Clint