[Python-ideas] pytaint: taint tracking in python

Andrew Barnert abarnert at yahoo.com
Tue Oct 15 19:30:18 CEST 2013


On Oct 15, 2013, at 10:14, Terry Reedy <tjreedy at udel.edu> wrote:

> The same would be true of a taint library. Note that web frameworks, etc, are not in the stdlib. I am not sure that taints should be either.

Well, some of the things that could benefit from taint checking _are_ in the stdlib--sqlite3.Cursor.execute, eval, etc.

More importantly, it sounds like (at least this particular implementation of) tainted string tracking requires language support. So it seems to me that it has to be in the stdlib or not be at all. (I suppose you could add language support that allows for a variety of different taint libraries and not have any in the stdlib, but that seems even less likely to be acceptable than the larger suggestion.) So what you're suggesting really amounts to saying that this project should remain a fork of CPython.

That being said, with no investigation into the difficulties or costs of implementing taint tracking in PyPy, Jython, and IronPython, not to mention not-quite-implementations like Cython, there might be other arguments for that position.


More information about the Python-ideas mailing list