Re: Regexes and untainting

 --- mosullivan@mail.crtinc.com wrote:
| SUMMARY 
| By default, regexes shouldn't untaint.  Also, provide a
| toolkit for Safer Untainting.
| ...
| Ergo, I propose that regexes only untaint stuff in parens
| if you specifically tell them to do so.  A capital-T
| switch would work nicely

__CODE__
#!/usr/bin/perl –wT

use 5.005;
use strict;
use re ‘taint’;

__MESSAGE__

It appears you wish to have ``use re`taint’ ” as the default
in Perl 6, rather than the current default behaviour w.r.t
untainting with regexs.

Taint mode scripts should be well designed and written,
however it cannot be uncommon that a programmer is charged
with the task of adding security to an existing script.  In
this case, the likelyhood of /(.*)/ or equivalent being missed
is high.  For the author of secure-from-ground-up scripts,
this change would be less of an issue.

The toolkit is an interesting idea, however it would seemly
reimplement many of the regex rules that would be part of
other modules.

An interesting idea (and I would hope someone already has
though of it) is to use regex rules to specify that whatever
it matches is automatically untainted.

[disclaimer: my Perl 6 regex skills are lacking, please
             don’t flame me regarding misuse/mistakes  ]

For example:

    my $untainted = _/^(rule)$/;

By using rules provided by the modules I am using, it allows
someone else to consider whether their approach is secure
enough to set this option.  Any modules that don’t cater for
taint mode users won’t set this untaint safe option.

Currently, the danger is that a module author uses *unsafe*
regexs – but has no way to inform the uses except by
documentation.  If, within the code they use /(.*)/, then this
would silently untaint data.  The vigilant should check before
passing to outside functions, however sometimes it is
appropriate not to – e.g. parsing.

Currently, there is many places ``use re `taint’” should have
been used – but the author didn’t through laziness (or it
wasn’t appropriate for him to care).

SUMMARY: I want rules to be *able to* untaint their captured
String.

Jonathan Paton

=====
s''! v+v+v+v+  J r e P    h+h+h+h+ !s`\x21`~`g,s`^ . | ~.*``mg,$v=q.
 P ! v-v-v-v-  u l r e r  h-h-h-   !12.,@.=m`.`g;do{$.=$2.$1,$.=~s`h
 E !   v+v+v+  s     k e  h+h+     !`2`x,$.=~s`v`31`,print$.[$v+=$.]
 R !     v-v-  t H a c h  h-       !}while/([hv])([+-])/g;print"\xA"
 L !             A n o t           !';$..=$1while/([^!]*)$/mg;eval$.

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

• Regexes and untainting by mosullivan
• Re: Regexes and untainting by Jonathan E. Paton