[Catalyst] Catalyst and Taint?

Matt S Trout dbix-class at trout.me.uk
Thu Jul 24 03:31:27 BST 2008

On Tue, Jul 22, 2008 at 11:45:09PM -0700, Chris Weyl wrote:
> On Tue, Jul 22, 2008 at 8:30 PM, Matt S Trout <dbix-class at trout.me.uk> wrote:
> > On Mon, Jul 21, 2008 at 10:08:11PM -0700, Chris Weyl wrote:
> >> Hey all --
> >>
> >> A google of "catalyst taint" turns up this message:
> >>
> >> http://lists.scsys.co.uk/pipermail/catalyst/2005-December/004007.html
> >>
> >> It doesn't look like there has been a release of
> >> Module::Pluggable::Fast since then.  Does anyone know where this patch
> >> lurks? :-)  (Assuming, of course, that this is still the right path to
> >> work down.)
> >
> > We don't even use Module::Pluggable::Fast anymore. Catalyst went back to
> > a refactored plain Module::Pluggable instead for 5.70+. Hopefully the
> > patch claco sent back then got applied somewhere in the meantime.
> >
> > Before caring about a three year old message, first check the module
> > it refers to is even involved anymore :)
> I'll keep that in mind :)
> According to CPAN, Module::Pluggable::Fast hasn't been updated since
> 16 Dec 2005, about 2 weeks before that email was sent.... If it was
> applied, I rather suspect it wasn't there.

Yeah, thought so. And it's fucking horrible code, so when sri abandoned
it none of us wanted to maintain it.

So I talked muttley into refactoring Module::Pluggable for us instead :)
> > (and since you're the only person since to mention taint mode, I don't
> > think most people care about it - I certainly don't see it being very
> > useful for Catalyst code, maybe you could enlighten us as to why you
> > do?)
> Taint mode would seem to be a good way to help protect against
> accidental exposures, especially in internet-facing apps.  I was
> curious to see what would happen if I tried running an instance with
> -T...  Admittedly, I'm more of a newbie Catalyst user than internals
> person by any measure, but is there something about Catalyst that
> renders taint unnecessary, or moot? ...or obsolete? ...or more of a
> pain than it's worth?

Taint mode just separates "stuff that came from outside the app" and
"stuff from inside the app". The thing is, by the time you get to a $c->req
object parsing has happened so it probably won't be tainted anyway. But
you -do- still need to validate it. So the only thing I can see taint mode
providing is a false sense of security. But "probably" is not the same
as "definitely" and if that turns out to be wrong my entire argument is
bollocks. Bear this in mind :)

      Matt S Trout       Need help with your Catalyst or DBIx::Class project?
   Technical Director                    http://www.shadowcat.co.uk/catalyst/
 Shadowcat Systems Ltd.  Want a managed development or deployment platform?
http://chainsawblues.vox.com/            http://www.shadowcat.co.uk/servers/

More information about the Catalyst mailing list