On Fri, Jun 25, 2010 at 5:49 PM, Lawrence D'Oliveiro <l...@geek-central.gen.new_zealand> wrote:
> In message <slrni297ec.1m5.grahn+n...@frailea.sa.invalid>, Jorgen Grahn > wrote: > > > I thought it was well-known that the solution is *not* to try to > > sanitize the input -- it's to switch to an interface which doesn't > > involve generating an intermediate executable. In the Python example, > > that would be something like os.popen2(['zcat', '-f', '--', untrusted]). > > That’s what I mean. Why do people consider input sanitization so hard? Its not that it is "hard", its that it has to be done with care: and when an interface provides you two methods to pass it data, one that requires it to parse a string to get at your data (thus requiring careful sanitization), and one that is a direct channel where no parsing is required and the data is directly passed through memory and bypasses the need for any sanitization ... preference for the latter seems pretty darn obvious to me. Use a method that does not add an extra security concern to the application or system = best practice. When that method *also* provides positive performance characteristics on top of alleviating a security concern, and even gets rid of a lot of data type conversion details you shouldn't really need to worry about, well. Using that method seems pretty much an obvious choice to me. If the only reason not to use it is so you can produce ghoulish spaghetti code like in the first post, I think that's a count in PQ's favor :) --S
-- http://mail.python.org/mailman/listinfo/python-list
