On Mon, 19 Aug 2002, Tim Bunce wrote:
> On Mon, Aug 19, 2002 at 12:26:24AM +1000, Bradley Baetz wrote:
> > Would it be possible for DBI to have a TaintInput attribute, similar to
> > its current |Taint| one, but only checking incoming data, without tainting
> > data coming from the DB?
> >
>
> I agree with the principle. Patches welcome. (Add TaintInput and TaintOutput
> attributes and make the Taint attribute set both and return true if either is set.)
OK, I've sort of done this. A couple of questions, though.
a) I've reused the current DBIcf_Taint bit for TaintIn (and added a new
one for TaintOut). Is that likely to cause problems? I'm assuming that
those bits are private to DBI, but I can't see any reason why a DBD driver
couldn't be using them, in theory.
(Note that |#define DBDcf_Taint (DBDcf_TaintIn | DBDcfTaintOut)| can't be
used because DBIbf_has actually means 'has any one of', not 'has all of')
b) Testing is a problem, because DBD::ExampleP _always_ returns tainted
results, due to the use of readdir. (I verfied this by commenting out the
lines setting Taint to 1). If I pass $f through a regexp to detaint it
in line 329 of ExampleP.pm, then the values aren't tainted.
However, the values then never become tainted, I think because the part in
DBI.xs:XS_DBI_dispatch which would taint return values has the comment:
/* DISABLED: just tainting fetched data in get_fbav seems ok */
The problem is that ExampleP's fetch method never calls get_fbav, so the
value is never tainted. If I add a call to $sth->_get_fbav() into there,
then the taint tests pass, but other tests obviously fail later.
If I reenable that part of the code, then the taint tests pass, but
selectall_hashref fails at the ->bind_col in DBI.pm because $index is
tainted; this is presumably why that was disabled.
I have no idea how to work arround this.
c) Should PurePerl really accept the Taint options if its going to ignore
them? If an app is using DBI's taint stuff for security, then I'd want DBI
to fail when trying to enable taint mode.
>
> Tim.
>
Bradley
