[Python-Dev] tainting

"Martin v. Löwis" martin@v.loewis.de
Wed, 08 Jan 2003 18:33:35 +0100


Skip Montanaro wrote:
> Can tainting be restricted to just strings and unicode objects or is it a
> facility which needs to be extended to all objects whose state could be
> affected by them?  

If I understand things correctly, in general, if the result depends on a 
tainted argument, it becomes itself tainted. I'm unsure whether 
exceptions should be made for container objects, as those may consist of 
tainted and untainted components.

> Clearly s would be tainted.  Suppose I then executed:
> 
>     t = int(s)

The question here is whether execution of int(s) would be allowed. There 
would need to be some machinery to determine whether the "normal" 
outcome of an operation is also produced with a tainted argument.

If the operation has its normal outcome, then clearly that is tainted as 
well. The question is whether an exceptional outcome would have to be 
tainted.

>     x.foo = s[4:]
> 
> Would t need to be tainted?  I assume the object associated with x.foo would
> have to be since it is a string (actually, that would be a side effect of
> the slicing operation).  Would the object associated with x itself have to
> be tainted?

I would normally think only x.__dict__['foo'] needs to be tainted, since 
everything else does not depend on untrusted input. One may argue that 
len(x.__dict__) may change as a result of this operation (so the entire 
dictionary is affected). However, that happens independent of whether s 
is tainted or not.

So if you have

d[s] = 1

then tainting s might be necessary, since now len(s) depends on the 
value of s.

Regards,
Martin