Hi Ed! Ed Pigg <suppressed> wrote:
SetEnv PERL5LIB /path/to/project_name/modules SetEnv HTML_TEMPLATE_ROOT /path/to/project_name/templates SetEnv EXTERNALS /path/to/project_name/externals Now I'm starting to get ready for deployment and have turned on Taint mode with the -T option of the instance scripts and need to untaint the environment variables. Is there a best practice for this? Ed Pigg
I've never really gotten into using taint mode (perhaps i should) but from my understanding was that "the way" to use taint mode was to turn it on (and keep it on) during *development*, to remind you to check and scrub the strings you take from external sources... and then turn it *off* for deployment for two reasons:
1) its a performance drain, and b) once your code passes its taint checks, it's pointless to re-check it until the code is modified (which you shouldn't be doing "in product", right?)
Another good argument I've heard for developing in taint mode is that each string has it's own particular risks, based on where you get it and what you intend to do with it, so untainting it (matching it to any regex) needs to be though about on a case by case basis. Its easy to match all strings against the same regex, thereby "untainting" them, but that's a pointless exercise because different strings need to be checked for different problems: strings you're going to insert into your database should be sql-escaped first, while strings used to locate and write file and path names (like those in your example) need to have scary file/path name characters checked, and maybe ensure that they are absolute paths starting with / and/or that they don't point to scary places like /etc/passwd/ or /proc :-)
So the presumption is that you're in a better position to implement the *best* untainting test pattern for a given string when you wrote the code that introduced it into your program, as opposed to at the end of the development, at which point you might tend to run the *same* tests on strings in many in *different* places in your code which need to be tested for different output purposes and/or come from differently-trustworthy sources.
For instance, I tend to trust environment variables set in my httpd.conf file (on boxes where I have root) but, on a shared server in a commercial web hosting environment? .htaccess files there may be a lot less "safe" to trust.
Hope this helps,-dave
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.