[Catalyst] Re: Catalyst and Taint?
pagaltzis at gmx.de
Thu Jul 24 10:26:00 BST 2008
* Matt S Trout <dbix-class at trout.me.uk> [2008-07-24 04:40]:
> The thing is, by the time you get to a $c->req object parsing
> has happened so it probably won't be tainted anyway.
That is a bug, though. Unfortunately a lot of Perl code has that
problem: since the official mechanism for untainting is pattern
match capture, which is a pretty common operation, a lot of code
untaints data that it doesn’t actually mean to validate, only
parse. For that, `use re 'taint'` helps. I don’t know how things
are looking in XS code.
Sadly, even if we file bugs on all the code that does this, a
mechanism that requires so much care from so many people (module
authors, namely) is just not a trustworthy safety net.
It would still be a worthwhile task though: taint mode is useful
as a layer in an in-depth defence even if you cannot rely on it
Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst