Re: Proposed change regarding "Taint" support

in reply to Proposed change regarding "Taint" support

Out of a habit, I run scripts under taint mode... if the CPAN dependencies permit it. I also more or less regularly run my unit tests under taint mode, and make sure my own stuff is taint-proof.

However, I think Neil has a point with his P5P message. Taint mode was useful in the olden days, where everything (including server stuff) happened on a few Unix hosts and people shared their scripts and used other people's scripts freely because that was just convenient.

Taint mode helps against a certain class of things which might turn out insecure, but today's attackers have found easier targets, and taint mode has always produced its share of false positives. If it goes away, I'll miss it, but only a bit.

Comment on Re: Proposed change regarding "Taint" support

Replies are listed 'Best First'.
Re^2: Proposed change regarding "Taint" support by mr_mischief (Monsignor) on Aug 13, 2021 at 20:49 UTC
It might be nice to have a tool that is Perl with a taint mode or something like it left in for development and testing. The main language could have it completely gone so there's no performance penalty. Unfortunately if done just that way it's likely to rot. A completely separate analysis tool may be a better bet.	[reply]
Re^3: Proposed change regarding "Taint" support by perlancar (Hermit) on Aug 19, 2021 at 02:08 UTC
I was about to recommend Ruby, but after a google search found out that Ruby has also removed taint checking mechanism in 2020. So that's that.	[reply]
Re^4: Proposed change regarding "Taint" support by mr_mischief (Monsignor) on Aug 23, 2021 at 14:56 UTC
I also use Ruby some, but usually not for the same projects as Perl. It wouldn't help much to use Ruby to check for proper input sanity in Perl code over using any other language for doing that. Using Ruby over Perl in general isn't a very useful pitch.	[reply]

In Section Perl News