--qE0/TkNoJLLGUzs4 Content-Type: text/plain; charset=us-ascii 2000-02-18-10:45:48 Brock Sides: > Perl's tainting mechanism will also come into play when opening a > filehandle for writing: What's more, it's available to user code. perlsec(1) gives an example routine that can check the taintedness of a variable, and the Taint module makes it really painless. DBI.pm offers a Taint option to taint-check data passed to it; this offers some hope of addressing the rash of bugs in weirdo data with SQL embedded in it being passed through CGIs and into a relational database (ref RFP2K01, recently posted to this list). I'm hoping it's possible that the new (development track perl) feature for I/O disciplines may allow you to bolt a routine over the front of an I/O handle that taint checks everything written to it; that'd make a nice clean way of dealing with the whole cross-site-scripting problem. -Bennett --qE0/TkNoJLLGUzs4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4rcdhL6KAps40sTYRAfToAJ0atZAeXN2wHTQ8nSvCqgoYAhCrMQCfbBnh hHpVW5W8NWVxsve+d5KUZOU= =ZOLW -----END PGP SIGNATURE----- --qE0/TkNoJLLGUzs4--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:10 PDT