[Python-ideas] pytaint: taint tracking in python

Bruce Leban bruce at leapyear.org
Mon Oct 14 20:03:21 CEST 2013 

There's another good use case for tainting: html injection (XSS). There's a
good solution for that too but XSS is still prevalent because it's easy to
build html by concatenating strings without escaping and template systems
make it too easy to inject strings without escaping (or put another way,
they make it equally easy to inject escaped strings as unescaped strings).

However, the issue is not just tainting but typing as well. When I have a
string, I need to know if it's raw text or html text. If it's html text, I
need to know if it's safe (generated by the program or user input that's
been sanitized (carefully)) or unsafe (raw user input). I'm not sure it
isn't

--- Bruce
I'm hiring: http://www.cadencemd.com/info/jobs
Latest blog post: Alice's Puzzle Page http://www.vroospeak.com
Learn how hackers think: http://j.mp/gruyere-security


On Mon, Oct 14, 2013 at 9:07 AM, Andrew Barnert <abarnert at yahoo.com> wrote:

> On Oct 14, 2013, at 5:25, Felix Gröbert <felix at groebert.org> wrote:
>
> > The idea itself is not new (Ruby and Perl have it; there are also some
> python libraries floating around) and pretty much noone uses it - however
> with a few improvements, it can be made viable.
>
> A good part of the reason no one uses it is that SQL injection is always
> given as the motivation for the idea, but it's not a very good solution for
> that problem, and there's already a well-known better solution:
> parameterized queries.
>
> SQL isn't the only case where you build executable strings--a document
> formatter might build Postscript code; a forum might build HTML (maybe even
> with embedded JS); a game might even read Python code from an in-game
> console or untrusted mod that's allowed to run in a different globals
> environment but not the main one; etc. Has anyone successfully used perl's
> long-standing taint mode for any such purposes? If not, can you demonstrate
> using it in python?
>
> I don't think that would be _necessary_ for a python taint mode
> implementation to be considered useful, but it would certainly help get
> attention to the idea.
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20131014/55b75564/attachment-0001.html>

More information about the Python-ideas mailing list