Re: CGI->params() should be tainted, right?

[Scott Gifford <sg...@suspectclass.com>]

jalex <ja...@sensiblenonsense.com> writes:

[...]

> Yes, I am aware various workarounds exist, however I don't think whether
> this is a bug or not is really at all arguable: anything that is marked as
> tainted in perl needs to be also marked tainted in mod_perl2. There is
> nothing in the mod_perl documentation to suggest otherwise; in fact, there
> are lots of tutorials out there that suggest that it is very important to
> turn taint mode on exactly to catch unsafe handling of CGI parameters. I'm
> left wondering what else isn't getting marked tainted that should be.

I agree, this is a very serious bug.  Taint checking is one of Perl's
most important security features, and Web applications are one of the
areas most in need of security.  Having taint checking not working
properly for mod_perl means that users are missing out on the huge
safety net Perl provides to stop programmers from accidentally doing
unsafe things, and worse they may be relying on that functionality to
protect them, leaving their apps unexpectedly vulnerable.

Do any of the mod_perl developers have a comment on this?  I'm
surprised it's not generating more feedback.

----Scott.

Re: CGI->params() should be tainted, right?

[Perrin Harkins <pe...@elem.com>]

On Dec 1, 2007 12:40 AM, Scott Gifford <sg...@suspectclass.com> wrote:
> Do any of the mod_perl developers have a comment on this?  I'm
> surprised it's not generating more feedback.

Scott,

It certainly is a bug and no one denies it.  So far, no one has had
the combination of free time and knowledge to fix it.  People who
would like to help and have time to contribute code are welcome on the
dev list.

One reason why this doesn't seem as urgent as it could be is that most
people using a relatively advanced feature like taint mode are also
using Apache2::Request, which taints things correctly.

- Perrin