Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: When not to use taint mode

by shmem (Chancellor)
on Jun 14, 2021 at 05:51 UTC ( [id://11133833]=note: print w/replies, xml ) Need Help??


in reply to When not to use taint mode

One argument against taint mode which surfaces every now and then is: "nah, the stuff I write is strictly for internal services/use only, it doesn't interact with the internet, so I don't need taint mode."

Which is wrong.

As if all insiders were saints or at least sane all of the time.
As if neither they, nor you, would ever be stupid.
As if most of the attacks against company infrastructure didn't come from the inside.

Taint mode is a wonderful way of preventing others - and yourself! - from doing something stupid.
Taint mode enforces good practice.

So, there's no good reason not to use it, but lazyness and impatience. But then, think hubris.

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

Replies are listed 'Best First'.
Re^2: When not to use taint mode
by LanX (Saint) on Jun 14, 2021 at 11:36 UTC
    > So, there's no good reason not to use it, but lazyness and impatience.

    I disagree, it always depends on the use case.

    If I just write a script which converts one text file into another, it's overkill.

    If I write a CGI or something with root rights or generally with foreign user input, it's mandatory.

    Cheers Rolf
    (addicted to the Perl Programming Language :)
    Wikisyntax for the Monastery

    PS: it's more or less the same reason why we don't use strict on one-liners.

      Okay,okay - no such thing as something obvious.

      If I just write a script which converts one text file into another, it's overkill.

      And certainly this applies for one-liners also. I've never started a one-liner with perl -Te :)

      If I write a CGI or something with root rights or generally with foreign user input, it's mandatory.

      I use taint mode in any software pertaining to business, and most certainly in scripts which are not user driven, such as glue stuff for critical automation. It doesn't exempt me from looking closely at the modules I use, but it catches dangerous stuff even there.

      perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11133833]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others perusing the Monastery: (4)
As of 2024-03-29 07:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found