[DCPM] CGI::FormBuilder and Taint

Simon Waters simon at technocool.net
Tue Jul 5 13:04:59 PDT 2011


On 12/06/11 20:40, Aaron Trevena wrote:
> On 12 June 2011 06:17, Simon Waters <simon at technocool.net> wrote:
>> Wrote a little CGI wrapper script for wkhtmltopdf.
>>
>> Found that the CGI::FormBuilder validation doesn't seem to untaint data
>> it has validated.
> 
> I can't remember the last time I ran perl in Taint mode.. modern good
> practise renders it moot.

When "Taint" doesn't disappear off worrying about things it can't
explain I don't see any harm in trying to use it. Although Debian just
got an update that fixed an issue with Taint not propagating as far as
it should - kind of update people hate - you know it can break stuff but
you feel obliged to install and test.

Although the only thing that actually broke was a SetUID C program that
hadn't been recompiled since it was running in 32bits, and I removed
libc package that was providing compatibility for 32 bit apps from
Debian whilst tidying up "unused" packages. See I should have packaged
that C program with 3 function calls in.

> Have you looked at other form handling modules on CPAN? I rather like
> Data::FormValidator, although the newer nicer alternative to that is
> http://search.cpan.org/perldoc?Data::Verifier, you might also like
> Spark::Form which seems quite nice - but I haven't used it yet.

Ah, CGI::FormBuilder can use Data::FormValidator constraints, and
Data::FormValidator can take an "untaint_all_constraints" argument, so a
solution exists for the next occasion I need some simple forms.

Not sure I have time to reinvent this one, as I need to rewrite the
program that calls it first :(

Yes it was all a bit 1990's but all I needed was a simple form to wrap
some arguments to a command that already existed, and I wanted to end up
with code that was abstracted a little above the normal 1990's CGI app,
without too many gapping security holes. So I think Taint and
Form::Builder fitted well.

 Simon



More information about the Devoncornwall-pm mailing list