Aristotle Pagaltzis wrote:
* Matt S Trout <[EMAIL PROTECTED]> [2008-07-24 04:40]:The thing is, by the time you get to a $c->req object parsing has happened so it probably won't be tainted anyway.That is a bug, though. Unfortunately a lot of Perl code has that problem: since the official mechanism for untainting is pattern match capture, which is a pretty common operation, a lot of code untaints data that it doesn’t actually mean to validate, only parse. For that, `use re 'taint'` helps. I don’t know how things are looking in XS code. Sadly, even if we file bugs on all the code that does this, a mechanism that requires so much care from so many people (module authors, namely) is just not a trustworthy safety net. It would still be a worthwhile task though: taint mode is useful as a layer in an in-depth defence even if you cannot rely on it alone. Regards,
I'm torn. On one hand, -T doesn't really gain me anything other than advance notice of something I may want to take a closer look into.
On the other hand, there's nothing more frustrating than deciding that TaintMode On in MP is what you want, only to have a handful of modules you don't control (older File::Find) totally choke.
Personally, I think every module on CPAN should work and be tested under -T mode, if for no other reason than as to not be the cog in the wheel standing in the way of someone wanting to use the module AND taint mode together.
To each their own. I'm sure I don't eat my own dogfood in this respect, sometimes because -T in test files kills things like File::ShareDir + use lib + INC.
-=Chris
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
