[Python-ideas] pytaint: taint tracking in python

[Andrew Barnert]

On Oct 15, 2013, at 15:02, Nick Coghlan <ncoghlan at gmail.com> wrote:

> On 16 Oct 2013 07:15, "Ned Batchelder" <ned at nedbatchelder.com> wrote:
> >
> > On 10/14/13 8:25 AM, Felix Gröbert wrote:
> >>
> >> The idea itself is not new (Ruby and Perl have it; there are also some python libraries floating around) and pretty much noone uses it - however with a few improvements, it can be made viable.
> >
> >
> > I'd be interested to hear why this feature isn't used in the languages that already have it.  That seems to be a strike against it.  Your proposed changes sound like they make it a more complex feature, and therefore less likely to be used.
> 
> At least the Perl one is a bit too simplistic for sophisticated cases, as it just divides the world into safe and unsafe strings.
> 
> That approach is closer to the safe/unsafe marking mechanisms that Python web frameworks already tend to use for templating and other aspects of response generation.
> 
Also keep in mind that we're talking about a perl 3 feature intended to solve SQL injection problems, and once parameterized SQL was invented it was no longer useful for that. (Yes, you can still embed strings directly into SQL statements and quote and escape them manually because you're sure you're too smart to ever make a mistake, or because you just haven't bothered to learn the language or domain--but the kind of person who does that also doesn't turn on taint mode.) 

A more flexible feature designed for other problems that haven't proven as amenable to an easy fix might find more use. Which is exactly why I suggested that the OP give better use cases than SQL injection--and he obliged.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20131015/678bedd7/attachment.html>