Welcome to the Monastery | |
PerlMonks |
Re: CGI::Safe untaint syntaxby footpad (Abbot) |
on Jan 11, 2002 at 11:31 UTC ( [id://137963]=note: print w/replies, xml ) | Need Help?? |
Warning: Sleep deprivation alert. Provide a global untainting regex for simple forms. How would that be different than the standard one that everyone uses in their examples, but then tells us, "Don't use this; it's insecure. Use something something more wise in the ways of your data and what you should be allowing."? *snik* (A rant button is ominously triggered.) To my mind, it might be better to provide samples that work for *very* specific circumstances, e.g: here's one that matches:
Personally, one wonders why so many example use .*? and then say, "This is a really lousy example. Don't use it." Where are the examples we're supposed to learn from? What works? What are the questions to ask, answer, and such not? Don't get me wrong; I do understand why everyone says to "allow only what's permissible." However, I believe there is room for a discussion on learning how to determine what you really need. Now, whether this better provided with CGI::Safe, Regexp::Common, or your Security Course is up to you (and/or japhy). However, I believe there is a crying need for *someone* to say, "OK. You know you need to make a decision. Let's walk through the process in a specific example and see the types of questions we encounter. It's one thing to tell someone that .*? isn't a good untaining match; it's another to disuss the issues that teach the process of choosing a better solution. Do I think many people will read and learn from it? Maybe, maybe not. But, the few that do will learn and that will make it worthwhile. </rant> Sorry...that's one of the reasons why I bugged you about an update in the first place. I wanted to see examples that people I respect put their servers at risk using. Show me something that works in one place and I'll evaluate its effectiveness in another. If you tell me it works in a specific case, I can accept that. Just show me the issues to consider and how you dealt with them. (Links acceptable, too) --f
In Section
Seekers of Perl Wisdom
|
|