70 likes | 207 Views
Perl: TAINT mode. CS4236 Tutorial 8, question 7 Luc Charpentier. Why do you need TAINT mode?. Are web CGI scripts really secured? Do you check if a script is secured when you download it ? Do you read it before use ? NO !!. What is TAINT mode ?.
E N D
Perl: TAINT mode CS4236 Tutorial 8, question 7 Luc Charpentier
Why do you need TAINT mode? • Are web CGI scripts really secured? • Do you check if a script is secured when you download it ? • Do you read it before use ? NO !!
What is TAINT mode ? • TAINT mode puts a Perl script into "PARANOID" mode and treats ALL user supplied input as tainted and bad unless the programmer explicitly "OKs" the data. • Taint basically halts any data being sent through eval, system, exec, or open calls…
How to use it ? • If you use Perl 5: #!/usr/local/bin/perl -T • If you use Perl 4: #!/usr/local/bin/taintperl
Other mode • Strict mode : Alert you to common syntax errors • Warning mode: Alert you to common bugs None of these are capable of writing secure code for you !!
What does it alleviate ? • Neglect to consider and take care of special situations. • We always assume that the input are valid : easier to code (enough buffer size, input file exist…) • We Always think about normal condition of use. • But a Hacker can find specific condition under those the result can be disastrous.
Conclusion • Easy to write small secure script, difficult to write big secure script. • Perl mode are here to help the programmer. • TAINT forces you as a programmer to think about what you are doing with outside data. This mode is only to help you, it won’t find all the problems !!