On 5/19/06, Jesse Erlbaum <suppressed> wrote:
> Now I'm starting to get ready for deployment and have turned > on Taint > mode with the -T option of the instance scripts and need to untaint > the the environment variables. Is there a best practice for this? I generally don't use taint because I've found it to be a huge pain in the ass, with dubious security value. (It warns on many things which don't matter, and encourages the programmer to write bad regular expressions to hush up the warnings. If I wanted a language which forces me to jump through useless hoops, I'd use Java!)
I don't tend to use Taint mode either. I rarely ever run system
commands from web scripts, and when I do I always use the list method
so as not to invoke the shell. When making database calls I always
always always use placeholders. And when building filenames
dynamically, I always strip out everything but alphanumerics and a
couple other characters (like _ - and .). And lastly, I never use
eval "" (unless absolutely necesary, and then never with user defined
variables).
These are pretty common rules that should always be followed
regardless of whether Taint mode is on or off, and they protect you
from most of the things that Taint mode is intended to help with.
As for deailing with the ENV variables, it is easiest to just unset
any ENV variables that you do not need. For things like PATH, just
set it explicitly in your script. See the perlsec manual page for
some examples of dealing with ENV variables under taint mode.
Cheers,
Cees
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.