Perl: TAINT mode

1
Perl TAINT mode

• CS4236
• Tutorial 8, question 7
• Luc Charpentier

2
Why do you need TAINT mode?

• Are web CGI scripts really secured?
• Do you check if a script is secured when you
  download it ?
• Do you read it before use ?
• NO !!

3
What is TAINT mode ?

• TAINT mode puts a Perl script into "PARANOID"
  mode and treats ALL user supplied input as
  tainted and bad unless the programmer explicitly
  "OKs" the data.
• Taint basically halts any data being sent through
  eval, system, exec, or open calls

4
How to use it ?

• If you use Perl 5 !/usr/local/bin/perl -T
• If you use Perl 4 !/usr/local/bin/taintperl

5
Other mode

• Strict mode Alert you to common syntax errors
• Warning mode Alert you to common bugs
• None of these are capable of writing secure code
  for you !!

6
What does it alleviate ?

• Neglect to consider and take care of special
  situations.
• We always assume that the input are valid
  easier to code (enough buffer size, input file
  exist)
• We Always think about normal condition of use.
• But a Hacker can find specific condition under
  those the result can be disastrous.

7
Conclusion

• Easy to write small secure script, difficult to
  write big secure script.
• Perl mode are here to help the programmer.
• TAINT forces you as a programmer to think about
  what you are doing with outside data.
• This mode is only to help you, it wont find all
  the problems !!