* Matt S Trout <[EMAIL PROTECTED]> [2008-07-24 04:40]: > The thing is, by the time you get to a $c->req object parsing > has happened so it probably won't be tainted anyway.
That is a bug, though. Unfortunately a lot of Perl code has that problem: since the official mechanism for untainting is pattern match capture, which is a pretty common operation, a lot of code untaints data that it doesn’t actually mean to validate, only parse. For that, `use re 'taint'` helps. I don’t know how things are looking in XS code. Sadly, even if we file bugs on all the code that does this, a mechanism that requires so much care from so many people (module authors, namely) is just not a trustworthy safety net. It would still be a worthwhile task though: taint mode is useful as a layer in an in-depth defence even if you cannot rely on it alone. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
