[Python-Dev] tainting

Wed, 8 Jan 2003 11:14:44 -0600

    >> >   Tainting                   -- tracking trusted status of objects
    >> 
    >> This is clearly out of scope of rexec, and, IMO, not relevant for
    >> untrusted code. Tainting is about processing untrusted data by
    >> trusted code.

    Kevin> I don't think it is so clearly out of the scope of the space of
    Kevin> all possible restricted execution enviornments.  Tainting (used
    Kevin> in a fairly liberal sense) is one way to propogate the security
    Kevin> status of objects without having to proxy them.

Can tainting be restricted to just strings and unicode objects or is it a
facility which needs to be extended to all objects whose state could be
affected by them?  For example, if I execute:

    s = raw_input("Enter a string here: ")

Clearly s would be tainted.  Suppose I then executed:

    t = int(s)
    x.foo = s[4:]

Would t need to be tainted?  I assume the object associated with x.foo would
have to be since it is a string (actually, that would be a side effect of
the slicing operation).  Would the object associated with x itself have to
be tainted?

How best to untaint an object?  Perl untaints when the programmer extracts
bits from a tainted string via regular expressions.  That seems rather
unPythonic.  Should objects which can be tainted just have a writable
'taint' attribute?

Skip