[Python-ideas] pytaint: taint tracking in python

Terry Reedy tjreedy at udel.edu
Tue Oct 15 19:14:55 CEST 2013 

On 10/15/2013 5:58 AM, Felix Gröbert wrote:
> 1. Please correct me if I misunderstand the Python project, but if the
> idea is deemed 'good' by this list,

This list is a discussion forum, not a decision-making body.

An individual person can consider an idea 'good' in some sense without 
thinking that it should be included in the CPython distribution.

 > a PEP can follow and the feature can be included in Python 3?

A PEP must be discussed on the pydev (core developer) list and approved 
by GvR or a person delegated by him.

 > It is not necessary to have a Python 3 implementation beforehand?

A Python 3 implementation is necessary for inclusion. It may or may not 
be needed for PEP approval, depending on the pydev discussion and 
ultimately the PEP decider.

> The existing Python 2.7.5 pytaint implementation is intended to be run
> by users who need tainting in Python 2 but can also serve as a reference
> / benchmark / proof-of-concept implementation for this discussion.
...
> Regarding taint tracking as a feature for python:
>
> First of all, taint tracking is a general language feature

Making objects instances of classes with attributes is a general 
feature, which Python already has. From what I have seen posted, taint 
tracking is a particular implementation of a specialized subjective 
concept 'untrusted code text'.  The concept is based on the unfortunate 
social-psychological fact that some people enjoy messing up other 
people's  lives.

 > As Andrew and Bruce mention, there are other solutions to XSS and
 > SQLi: template systems and parameterized queries. Another library
 > solution exists to shell injection: pipes.quote.

Right. Taints are not the only possible implementation that uses the 
same concept.

 > However, all these solutions require the developer to pick the
 > correct library and method.

The same would be true of a taint library. Note that web frameworks, 
etc, are not in the stdlib. I am not sure that taints should be either.

The idea of marking bytes (or strings) with their encoding (or source 
encoding) has been rejected. I don't think anything else should be added 
either.

-- 
Terry Jan Reedy

More information about the Python-ideas mailing list