[Date Prev][Date Next][Thread Prev][Thread Next]
[Search]
[Date Index]
[Thread Index]
Re: [MacPerl] Taint Talk
>OK, many people are getting sick of taint talk.
Ok, I brought this up, so I make some final remarks.
It is easy forget some details if you talk about security.
So an ad-hoc solution is often insecure.
I will make some investigation about security concerns on the mac the
next weeks and come back when I have results.
I will try to port the taint-module from Dan Sugalski to the Mac.
With this module you can taint data yourself and check if data is tainted,
so you can make experiments to understand the whole issue better.
( I already succesfully used xsubpp, set up include path, and
compiled it succesfully. Now I try to find out what libraries I need,
and how I make it a module. If anybody can help me with that
I would be happy. just email me directly)
I think the current state should be changed because
* you can't use a debugger with taint-check on
* Many people will get confused when a module suddendly not
get loaded successful, and will diasable taintcheck again.
* I think the risk of a bad cgi is much higher than the risk of
a manipulated @INC Path, so a 99% Solution that works for all people
may be better 100% solution that is to complex to use.
regards
Karsten Meier
---------------------------------------------------------------------
Karsten Meier
EMail krstnmr@ibm.net
WWW: http://www.meier-online.com with following highlights:
* German MacPerl Primer * XTensions for use with QuarkXPress
Unsolicited and/or commercial email is not permitted at this address.
***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch