Taint-Runtime reviews

RSS | Module Info

Taint-Runtime (0.03) ****

Nice idea. Perl should really have included something like this (analogous to warnings.pm for -w).

However, for something as security-related as tainting, I personally think the interface is a bit too complex and not robust enough. There are too many pitfalls where one can fail to turn on tainting properly.

* First, user must remember to import $TAINT, or doing '$TAINT = 1' has no effect. There's no error/warning for this mistake.

* Then, if one also forgets to import taint_start or taint_start, then doing 'taint_start' or 'taint_env' (without parentheses) will do nothing. Also does not produce an error/warning except under strict mode.

* One must remember to 'taint_env' _after_ 'taint_start'. There's no warning/error if one does the opposite.

I'd rather have something like this:


use tainting;

... code is running in taint mode ...

use tainting;

no tainting;

... code is running without taint mode ...

No functions, no variables to set, no exports. Tainting of %ENV etc should be done automatically just like -T.

EDIT: I wrote tainting and uploaded it to CPAN as proof of concept.