[Python-ideas] pytaint: taint tracking in python
Terry Reedy
tjreedy at udel.edu
Tue Oct 15 19:14:55 CEST 2013
On 10/15/2013 5:58 AM, Felix Gröbert wrote:
> 1. Please correct me if I misunderstand the Python project, but if the
> idea is deemed 'good' by this list,
This list is a discussion forum, not a decision-making body.
An individual person can consider an idea 'good' in some sense without
thinking that it should be included in the CPython distribution.
> a PEP can follow and the feature can be included in Python 3?
A PEP must be discussed on the pydev (core developer) list and approved
by GvR or a person delegated by him.
> It is not necessary to have a Python 3 implementation beforehand?
A Python 3 implementation is necessary for inclusion. It may or may not
be needed for PEP approval, depending on the pydev discussion and
ultimately the PEP decider.
> The existing Python 2.7.5 pytaint implementation is intended to be run
> by users who need tainting in Python 2 but can also serve as a reference
> / benchmark / proof-of-concept implementation for this discussion.
...
> Regarding taint tracking as a feature for python:
>
> First of all, taint tracking is a general language feature
Making objects instances of classes with attributes is a general
feature, which Python already has. From what I have seen posted, taint
tracking is a particular implementation of a specialized subjective
concept 'untrusted code text'. The concept is based on the unfortunate
social-psychological fact that some people enjoy messing up other
people's lives.
> As Andrew and Bruce mention, there are other solutions to XSS and
> SQLi: template systems and parameterized queries. Another library
> solution exists to shell injection: pipes.quote.
Right. Taints are not the only possible implementation that uses the
same concept.
> However, all these solutions require the developer to pick the
> correct library and method.
The same would be true of a taint library. Note that web frameworks,
etc, are not in the stdlib. I am not sure that taints should be either.
The idea of marking bytes (or strings) with their encoding (or source
encoding) has been rejected. I don't think anything else should be added
either.
--
Terry Jan Reedy
More information about the Python-ideas
mailing list