David Kaufman <suppressed> recently posted, in part:
...and then turn [taint] *off* for deployment for two reasons: 1) its a performance drain, and b) once your code passes its taint checks, it's pointless to re-check it until the code is modified (which you shouldn't be doing "in product", right?)
For a long time now I've always used strict, warnings, and
taint on all of my CGI applications, from the very beginning
to final deployment and it never occurred to me to turn off
taint in production for performance reasons.
So I tried a little informal test. I wrote a small program
that does a regular expression match on every line of it's
input, capturing the result in $1 -- the presumably untainted
value. I ran this program using a 200K line log file as
input, running it several times both with taint on and off.
Typical numbers with taint off:
real 0m4.461s
user 0m4.260s
sys 0m0.140s
and with taint on:
real 0m7.760s
user 0m6.120s
sys 0m0.150s
So there was indeed a measurable performance hit with taint
on, but not so much that I'd worry. On the other hand my
little test program was only 12 lines long. The performance
hit with taint *may* very well go up, depending upon the size
of the program, because Perl will have more variables to
check and keep track of. Dunno.
But personally I believe the time you really want taint
turned on is *in* production. While the goal of testing is
to make sure every line of code has been exercised, there's
nothing like putting an app in the hands of real users to
really find out where the bugs are. And that's when I really
want taint -- to stop a program dead in its tracks if a user
manages to sneak a value past all my carefully untainting
because they managed to follow a logic path I never actually
tested.
If performance were to become an issue with a given app, I'd
start looking first at doing things like using the 'study'
function on my regular expressions and using benchmarking to
find where time is actually being spent, before I'd turn off
taint.
...BC
--
+-------------------------[ suppressed ]---+
| Bill Costa | No good
| 1 Leavitt Lane Voice: | deed...
| CIS/Telecom -- 2nd Floor +1-603-862-3056 |
| University of New Hampshire | Goes
| Durham, NH 03824 USA | unpunished.
+---------------[ http://pubpages.unh.edu/~wfc/ ]--+
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.