Tainting is a way of keeping track whether or not user input has been validated before being used in a potentially unsafe context like executing commands. It's the Ruby equivalent of handling SQL injection but for general injection tracking.
On Fri, 26 Jun 2020 at 12:45, Craig Russell <apache....@gmail.com> wrote: > > It appears that there are some issues with tainting that I do not understand. > Thanks to sebb for sorting the immediate issues that kept the tool from > working. I still do not understand why the coi.cgi script worked locally with > setupmymac but failed when running in the whimsy server environment. > > The problems that I had raise some higher level issues worth discussing. > > There are at least three ways I know of to use svn from cgi scripts: > - construct svn commands and call the system to execute them > - use svn to prepare svn commands and execute them > - use svn_ to prepare svn commands and execute them > > User and password are available as global constants $USER and $PASSWORD. But > they are also available in some environments via the "_" variable and ENV. > > I'd like to have some best practices documented: > > Which technique for executing svn is appropriate? > > How should credentials be passed from one layer to the next? > > Which code should be responsible for untainting variables? > > And while we are discussing structure of code, what kinds of things are > appropriate for "top level" execution in the cgi script (outside of a > function definition)? What things are appropriate for inside functions? What > things are appropriate for directly executing within the _html section, the > _body section, the _whimsy_body section, and the do block following the > _whimsy_body section? > > Craig L Russell > c...@apache.org > -- Matt Sicker <boa...@gmail.com>
