|
Re: Taint mode... use all the time?
by talexb (Chancellor) on Feb 11, 2005 at 19:51 UTC
|
As I understand it, taint mode prevents user input ('tainted data') from finding its way to the underlying OS where it might be used to compromise security.
This is meaningful in a web application, where you want to protect your servers from web monkeys trying to poke and prod their way through your application to the OS.
It's not so meaningful in (for example) an installation script, where you want to be able to specify an installation directory (as I did earlier today) and have the script write stuff into that directory.
From an efficiency point of view, I imagine that taint causes Perl to perform more checks, thus it may run more slowly. That's a waste of cycles if such checks aren't required.
Alex / talexb / Toronto
"Groklaw is the open-source mentality applied to legal research" ~ Linus Torvalds
| [reply] |
|
|
This is meaningful in a web application, where you want to protect your servers from web monkeys trying to poke and prod their way through your application to the OS.
s/servers from web monkeys/computers from users/
That's a waste of cycles if such checks aren't required.
"Yeah, some luser stole the CC database, ordered $10_000_000_000 of goods, sold the customer list to spammers and deleted all the real orders, but hey! the application runs 0.002% faster!"
Sorry, I don't agree: if you're dealing with user input in a situation where they could (intentionally or unintentionally*) damage the system and the language offers you a helping hand, why not use it?
I use -T for pretty much anything that's going to be run by anyone except me (I assume I'll supply only valid input -- I'm right _most_ of the time): Like use strict; it helps me write good code, in this case ensuring I validate user input.
* "What due you mean I can't use spaces, (), &, ;, *, ? in filenames?"
--
Sorry if this is abrupt:it's been a rough week!
| [reply]
[d/l]
[select] |
|
|
Sorry, I don't agree: if you're dealing with user input in a situation where they could (intentionally or unintentionally*) damage the system and the language offers you a helping hand, why not use it?
Yes, but that's a far cry from "having it on all the time". Most users cannot (on a proper system) damage the system anyway. It doesn't make sense to have taint checking on oh, say "ls", or "vi" (unless you were to make a restricted shell inside "vi").
And it's not that the language offers you a helping hand free of costs. It's like equiping electronic locks on all the doors in your house - including the doors to any closets, and the lid on your toilet. Locks that can only be unlocked (for one time usage, closing the door auto-locks) by typing in 16 character hex code. Sure, it helps reduce theft from your home. But it isn't very convenient to go from one room to another anymore.
| [reply] |
|
|
So, the taint really comes into play whenever there is a user interface of some sort. Whether it is web based, curses based, Tk based, etc.
Taint mode would be wasted on non interacting scripts (installation, etc0).. do I have this correct? trying to make sure I understand the reasoning :)
Jason L. Froebe
Team Sybase member No one has seen what you have seen, and until that happens, we're all going to think that you're nuts. - Jack O'Neil, Stargate SG-1
| [reply] |
|
|
I don't see much point of using -T on stuff like interactive clients, Tk or not. After all, if the user is going to try to mess with the client, all he can do is screw himself. I make it a point to use it for the server end though, whether it's a CGI script, daemon, Win32 service, or whatnot.
That's not to say that a client program shouldn't be doing any kind of error checking. It should, to some extent. But the server shouldn't depend on that at all, and it should thoroughly check all input in minute detail (which is where taint mode helps out a bit, though it's not 100% foolproof).
Basically, it comes down to this: any code running on a machine which you don't control is code that you can't depend on in terms of security.
| [reply] |
|
|
|
|
Re: Taint mode... use all the time?
by gaal (Parson) on Feb 11, 2005 at 20:40 UTC
|
Security often comes at the price of convenience. If developers don't see what they're getting for the price they are paying, they start working around the inconveniences, which often undermines the security.
You don't want someone to write an ::untaint() sub somewhere and see everyone start using it indiscriminantly, do you? | [reply]
[d/l] |
Re: Taint mode... use all the time?
by PodMaster (Abbot) on Feb 12, 2005 at 11:59 UTC
|
I'm viewing taint in the same light as 'strict' mode. Sure, it is a PIA to get used to, but it is better... isn't it? ;-)
-T is exactly like strict, don't turn it off unless you know what you're doing
(and are confident in that knowledge), but even then you should think twice about it.
It is only a PIA if forget what kind of headaches it helps avert.
| MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!" | | I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README). | | ** The third rule of perl club is a statement of fact: pod is sexy. |
| [reply] |
Re: Taint mode... use all the time?
by petdance (Parson) on Feb 12, 2005 at 06:28 UTC
|
Do -T everywhere. There's really no reason not to. Speed is probably a non-issue, and if you get some PITA warnings, good.
| [reply] |
Re: Taint mode... use all the time?
by tphyahoo (Vicar) on Feb 14, 2005 at 11:50 UTC
|
Thank you, o Monks, for that illuminating discussion of Taint.
Based on what I have read so far, I definitely need to start using taint for some of my work.
I'm a bit confused how to set this up though. I can get taint with
perl -T
from the dos prompt. But I like to control things at the script level. When I "use Taint" in my code, the program dies because there's no taint package installed.
There is a taint package on CPAN. But when I try
ppm
install Taint
no repository is found with this package/directive.
Can taint mode only be turned on from the shell with -T? Or does Taint not play nicely with ActiveState and Windows? | [reply]
[d/l]
[select] |
|
|
perl <scriptname>
at the command prompt (or elsewhere such as a CGI program on IIS ). There is a small article on overcoming this problem with IIS in the NMS FAQ.
/J\ | [reply]
[d/l]
[select] |
Re: Taint mode... use all the time?
by elwarren (Priest) on Feb 14, 2005 at 16:45 UTC
|
I'm happy to bang out thousands of lines of code in sessions that last hours on end. The first two lines are always
use strict;
use warnings;
But I'm just too lazy to type -T on the command line. Weird.
But in all seriousness, in my personal programming style, I don't want anything as strict as taint checking. I write most of my code for myself, to run as myself. You could say, "turn it on if you're writing a server," but if you really care I would say that as, "turn on taint if you're accepting input from someone else." Servers, scripts running under servers, or clients communicating with other clients. | [reply]
[d/l] |