[tpm] Re. Tainted data

Chris Jones cj at enersave.ca
Wed Apr 11 04:58:33 PDT 2012


Well, I am following Pierre Trudeau's lead.  It is a bilingual 
website, made in Canada.  Ideally, the website could be multi-lingual 
by placing the phrases in a database instead of a flat, two language text file.


At 03:47 AM 11/04/2012, Tom Legrady wrote:
>I'm generally dubious of constructs like "if $language ne 
>'english'". (Besides, should be "lc $language") .. are you certain 
>there will never be another language ... Gernan .. Cree ...
>
>On a Hungarian keyboard from Budapest
>
>Tom
>
>On Mon, Apr 9, 2012 at 6:10 PM, Chris Jones 
><<mailto:cj at enersave.ca>cj at enersave.ca> wrote:
>So to confirm:
>
>my $language = <data from outside the program>;
>
>my $index = "index.html";
>
>if( $language ne "english" )
>{
>        $index = "indexo.html"
>}
>
># $index is now tainted and
>
><a href="$index">
>
># throws and error when selected by the user
>
>If that summarizes my issue, it certainly explains the problems I 
>have been having.
>
>A follow on question:
>Is data retrieved from a database considered tainted?  The 
>application uses data retrieved from a mysql database.  Would this 
>data also be considered tainted?
>The program uses DBI, DBD-mysql.
>
>
>
>
>
>At 11:48 PM 06/04/2012, Liam R E Quin wrote:
>On Fri, 2012-04-06 at 21:11 -0400, Chris Jones wrote:
> > Uri
> > Thanks again for your help.  I have one question about untainting
> > then files before opening.
> >
> > Would not the split untaint the data:
> > my( $key, $value ) = split /\t/ ;
>
>No.
>
>The only ways to untaint data are to use them as keys in a hash (so $key
>is OK here, but $value is not) or to pick them out of a regular
>expression match with $1, $2, etc.
>The point of marking input data as tainted is so you can catch things
>like,
>my ($filename, $info) = split;
>system("ls $filename");
>and have filename be "/etc/group;reboot;" or something
>
>see "perldoc perlsec" for more info.
>
> >
> > As long as there is no bad characters in the data that should untaint it?
> > Again the input config file contains:
> > infilename      ../input
> > outfilename     ../output
> >
> > If I use:
> > my $outfilename = "$confighash{outfilename}";
> > my $modfilename = "$outfiilename".".mod";  #add the extension
> >
> > Would not $modfilename be untainted?
>no. Also watch for the two i's in outfiilename.
>
>The general principle is that data from outside your program cannot be
>trusted (whereas data from inside your program _probably_ shouldn't be
>trusted :-)) and untrusted data must never be allowed to affect the
>world outside your program.  Yes, your data file might be safe, but what
>if it wasn't? How does Perl know?
>
>[...]
> > Which leads to a question about declaring variable and scope:
> > my( $key, $value ) = split /\t/ ;
> >
> > Are these two variables in scope each time through the loop?  That is
> > why I declared them outside the while loop in my original version.
>
>They are in scope, yes -- but if you have
>
>while ($sun_shines) {
>    my $cider = split;
>    . . .
>}
>
>then there's a new $cider made each time around the loop.
>
>Hope that helps.
>
>Liam
>
>--
>Liam Quin - XML Activity Lead, W3C, 
><http://www.w3.org/People/Quin/>http://www.w3.org/People/Quin/
>Pictures from old books: <http://fromoldbooks.org/>http://fromoldbooks.org/
>
>
> >>
>Christopher Jones, P.Eng.
>Suite 1801, 1 Yonge Street
>Toronto, ON M5E1W7
>Tel. <tel:416-203-7465>416-203-7465
>Fax. <tel:416-946-1005>416-946-1005
>email <mailto:cj at enersave.ca>cj at enersave.ca
>
>_______________________________________________
>toronto-pm mailing list
><mailto:toronto-pm at pm.org>toronto-pm at pm.org
>http://mail.pm.org/mailman/listinfo/toronto-pm
>

 >>
Christopher Jones, P.Eng.
Suite 1801, 1 Yonge Street
Toronto, ON M5E1W7
Tel. 416-203-7465
Fax. 416-946-1005
email cj at enersave.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20120411/2c14a903/attachment-0001.html>


More information about the toronto-pm mailing list