On Thu, 10 May 2001, Jacob Meuser wrote:
<--snip-->
>
> True, the security of code first comes from the coder. But it doesn't
> hurt to have some kind backing for any code, no matter how secure it
> may seem.
> Tainted data in perl is basically anything that comes into your program
> from outside sources, be it a database, user input, data from a file,
> whatever. In taint mode, tainted data (at least theoretically) cannot
> be used to affect anything else outside the program. Perl goes into
> taint mode automatically when it notices that real and effective
> UIDs and GIDs are out of sync. You can also enable taint mode with
> the -T flag. This is highly recommended for CGI scripts.
>
This may just be a difference in outlook, but it sounds like the kind of
under-the-covers-magic that makes perl so difficult for the outsider.
Yes python won't stop you from doing something like
os.chdir(some_user_supplied_variable)
os.execv(user_supplied_path,user_supplied_env_dict)
but you're unlikely to do so by accident. Which does occasionally seem
like it might be possible in perl ;-)
Of course we all know that perl and python will eventually give way to
something better....
http://www.oreilly.com/parrot
