Menu
▾
▴
[Openinteract-dev] Running with taint?
|
From: Heiko K. <Hei...@gm...> - 2004-10-04 14:29:04
|
I tend to use perls 'Taint' mode whenever writing web-applications. There are often problems in one or the other package but most of the time it was possible to fix those problems. And taint mode helps a lot when developing 'save' modules. I just started the latest cvs-version of oi with taint: perl -Tw script/oi2_daemon Using OPENINTERACT2 environment for website directory: /disk1/local/oi Could not include module 'OpenInteract2::SPOPS::LDAP' to handle SPOPS configuration information: Insecure dependency in require while running with -T switch at (eval 305) line 3. and with taint-warning: perl -tw script/oi2_daemon gave a real lot of warnings. I think most of the warnings are connected to libraries which are loaded from config-files and then 'eval'ed and thus are not really bad. I guess with some restrictions on security handling i.e. all modules/config-files contain 'save' data it should be possible to run OI in a tainted environment. (Well, this would mean, that installation of packages should only happen from the machine (as it is now), not from the net) I'm a bit unsure how SPOPS will handle tainted data from the db? Did somebody already try to make OI taint-save? Or running SPOPS with DBI's Taint=>1 setting? Or is the whole taint-idea of perl completely out of date, since no other language as far as I know implemented something similar. Best regards, Heiko |
