From simon at technocool.net Tue Jul 5 13:04:59 2011 From: simon at technocool.net (Simon Waters) Date: Tue, 05 Jul 2011 21:04:59 +0100 Subject: [DCPM] CGI::FormBuilder and Taint In-Reply-To: References: <4DF44C05.8030704@technocool.net> Message-ID: <4E136E6B.3060009@technocool.net> On 12/06/11 20:40, Aaron Trevena wrote: > On 12 June 2011 06:17, Simon Waters wrote: >> Wrote a little CGI wrapper script for wkhtmltopdf. >> >> Found that the CGI::FormBuilder validation doesn't seem to untaint data >> it has validated. > > I can't remember the last time I ran perl in Taint mode.. modern good > practise renders it moot. When "Taint" doesn't disappear off worrying about things it can't explain I don't see any harm in trying to use it. Although Debian just got an update that fixed an issue with Taint not propagating as far as it should - kind of update people hate - you know it can break stuff but you feel obliged to install and test. Although the only thing that actually broke was a SetUID C program that hadn't been recompiled since it was running in 32bits, and I removed libc package that was providing compatibility for 32 bit apps from Debian whilst tidying up "unused" packages. See I should have packaged that C program with 3 function calls in. > Have you looked at other form handling modules on CPAN? I rather like > Data::FormValidator, although the newer nicer alternative to that is > http://search.cpan.org/perldoc?Data::Verifier, you might also like > Spark::Form which seems quite nice - but I haven't used it yet. Ah, CGI::FormBuilder can use Data::FormValidator constraints, and Data::FormValidator can take an "untaint_all_constraints" argument, so a solution exists for the next occasion I need some simple forms. Not sure I have time to reinvent this one, as I need to rewrite the program that calls it first :( Yes it was all a bit 1990's but all I needed was a simple form to wrap some arguments to a command that already existed, and I wanted to end up with code that was abstracted a little above the normal 1990's CGI app, without too many gapping security holes. So I think Taint and Form::Builder fitted well. Simon