[Python-bugs-list] [ python-Feature Requests-500698 ] Taint a la Perl?
noreply@sourceforge.net
noreply@sourceforge.net
Thu, 02 Jan 2003 13:20:41 -0800
Feature Requests item #500698, was opened at 2002-01-07 19:48
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=355470&aid=500698&group_id=5470
Category: Python Interpreter Core
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Peter Scott (sketerpot)
Assigned to: Nobody/Anonymous (nobody)
Summary: Taint a la Perl?
Initial Comment:
This might just add unnecessary bloat, but since Python is being
used in CGI scripts, it can be used to narrow a security hole. One way
of breaking security is for a naiive programmer (don't try to deny
their existance) to run an arbitrary command from the page
viewer.
Perl has developed an interesting mechanism for
helping with this: taint. The way it works is, when something comes
directly from the user, like a key in a form, it is considered to have
taint unless specifically untainted. Things like os.exec() would
create a warning message if you passed tainted strings to
them.
As I said, this might just add unnecessary bloat, but for
an option that can be left out for most builds of Python I think it
would be pretty nice.
----------------------------------------------------------------------
Comment By: Neal McBurnett (nealmcb)
Date: 2003-01-02 14:20
Message:
Logged In: YES
user_id=105956
I really like taint mode.
I think this would make Python a better choice for CGI scripts.
See http://www.perldoc.com/perl5.8.0/pod/perlsec.html
and http://gunther.web66.com/FAQS/taintmode.html
for more background.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=355470&aid=500698&group_id=5470