On Fri, Sep 15, 2000 at 01:52:00AM -0000, Perl6 RFC Librarian wrote:
> =head1 TITLE
>
> Extend the window to turn on taint mode
As long as we're talking about tainting (this is a good idea, BTW) how
does everyone feel about a few other tainting widgets...
- A way to know when taint mode is on. ($TAINT or something)
This can be useful for debugging and testing purposes. It might also
be used as a flag to indicate paranoia. If tainting is on, the
program may wish to do additional security checks which it might not
have done otherwise.
- A way to explicity taint a variable (taint(@this)).
Consider DBI. It must explicitly taint the results coming from a
database and must to this inside XS. It would be nice to be able to
easily do this in Perl without alot of messy hacks. (I had to do this
for Ima::DBI before DBI started tainting its data. Wasn't fun and
never really worked 100%.)
And no, there shouldn't be an untaint() function. Orthoginality can
blow me, detainting without filtering should remain hard.
- A way to explicitly check if a variable is tainted (is_tainted(%this))
Useful for debugging and testing. Also for choosing between a secure
yet slower, more complicated, less featureful method and an unsecure
yet faster, easier, more featureful method. Also useful for throwing
insecure dependency exceptions of your own (used to have to do this
for Ima::DBI, too.)
is_tainted() would always return false if tainting is off.
Any other basic tainting utilities needed? I think pretty much
anything else can be built from these.
--
Michael G Schwern http://www.pobox.com/~schwern/ [EMAIL PROTECTED]
Just Another Stupid Consultant Perl6 Kwalitee Ashuranse
An 87 year old man had no sex at all before wearing my device.
--Alex Chiu, Immortality Guy
