[Catalyst] Re: Catalyst and Taint?

Aristotle Pagaltzis pagaltzis at gmx.de
Thu Jul 24 10:26:00 BST 2008

* Matt S Trout <dbix-class at trout.me.uk> [2008-07-24 04:40]:
> The thing is, by the time you get to a $c->req object parsing
> has happened so it probably won't be tainted anyway.

That is a bug, though. Unfortunately a lot of Perl code has that
problem: since the official mechanism for untainting is pattern
match capture, which is a pretty common operation, a lot of code
untaints data that it doesn’t actually mean to validate, only
parse. For that, `use re 'taint'` helps. I don’t know how things
are looking in XS code.

Sadly, even if we file bugs on all the code that does this, a
mechanism that requires so much care from so many people (module
authors, namely) is just not a trustworthy safety net.

It would still be a worthwhile task though: taint mode is useful
as a layer in an in-depth defence even if you cannot rely on it

Aristotle Pagaltzis // <http://plasmasturm.org/>

More information about the Catalyst mailing list