[Python-Dev] tainting
"Martin v. Löwis"
martin@v.loewis.de
Wed, 08 Jan 2003 18:33:35 +0100
Skip Montanaro wrote:
> Can tainting be restricted to just strings and unicode objects or is it a
> facility which needs to be extended to all objects whose state could be
> affected by them?
If I understand things correctly, in general, if the result depends on a
tainted argument, it becomes itself tainted. I'm unsure whether
exceptions should be made for container objects, as those may consist of
tainted and untainted components.
> Clearly s would be tainted. Suppose I then executed:
>
> t = int(s)
The question here is whether execution of int(s) would be allowed. There
would need to be some machinery to determine whether the "normal"
outcome of an operation is also produced with a tainted argument.
If the operation has its normal outcome, then clearly that is tainted as
well. The question is whether an exceptional outcome would have to be
tainted.
> x.foo = s[4:]
>
> Would t need to be tainted? I assume the object associated with x.foo would
> have to be since it is a string (actually, that would be a side effect of
> the slicing operation). Would the object associated with x itself have to
> be tainted?
I would normally think only x.__dict__['foo'] needs to be tainted, since
everything else does not depend on untrusted input. One may argue that
len(x.__dict__) may change as a result of this operation (so the entire
dictionary is affected). However, that happens independent of whether s
is tainted or not.
So if you have
d[s] = 1
then tainting s might be necessary, since now len(s) depends on the
value of s.
Regards,
Martin