| Module Info
| Add a review of Taint-Runtime
Nice idea. Perl should really have included something like this (analogous to warnings.pm for -w).
However, for something as security-related as tainting, I personally think the interface is a bit too complex and not robust enough. There are too many pitfalls where one can fail to turn on tainting properly.
* First, user must remember to import $TAINT, or doing '$TAINT = 1' has no effect. There's no error/warning for this mistake.
* Then, if one also forgets to import taint_start or taint_start, then doing 'taint_start' or 'taint_env' (without parentheses) will do nothing. Also does not produce an error/warning except under strict mode.
* One must remember to 'taint_env' _after_ 'taint_start'. There's no warning/error if one does the opposite.
I'd rather have something like this:
... code is running in taint mode ...
... code is running without taint mode ...
No functions, no variables to set, no exports. Tainting of %ENV etc should be done automatically just like -T.
EDIT: I wrote tainting and uploaded it to CPAN as proof of concept.