Taint (like in Perl) as a Python module: taint.py
Johann C. Rocholl
jcrocholl at googlemail.com
Tue Feb 6 04:37:53 EST 2007
On Feb 6, 3:01 am, Ben Finney <bignose+hates-s... at benfinney.id.au>
wrote:
> "Gabriel Genellina" <gagsl... at yahoo.com.ar> writes:
> > And tainted() returns False by default?????
> > Sorry but in general, this won't work :(
>
> I'm inclined to agree that the default should be to flag an object as
> tainted unless known otherwise.
That's true. For example, my first attempt didn't prevent this:
os.open(buffer('/etc/passwd'), os.O_RDONLY)
Here's a stricter version:
def tainted(param):
"""
Check if a parameter is tainted. If it's a sequence or dict, all
values will be checked (but not the keys).
"""
if isinstance(param, unicode):
return not isinstance(param, SafeString)
elif isinstance(param, (bool, int, long, float, complex, file)):
return False
elif isinstance(param, (tuple, list)):
for element in param:
if tainted(element):
return True
elif isinstance(param, dict):
return tainted(param.values())
else:
return True
More information about the Python-list
mailing list