[Python-bugs-list] [ python-Feature Requests-500698 ] Taint a la Perl?
noreply@sourceforge.net
noreply@sourceforge.net
Mon, 07 Jan 2002 18:48:19 -0800
Feature Requests item #500698, was opened at 2002-01-07 18:48
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=355470&aid=500698&group_id=5470
Category: Python Interpreter Core
Group: None
Status: Open
Priority: 5
Submitted By: Peter Scott (sketerpot)
Assigned to: Nobody/Anonymous (nobody)
Summary: Taint a la Perl?
Initial Comment:
This might just add unnecessary bloat, but since Python is being
used in CGI scripts, it can be used to narrow a security hole. One way
of breaking security is for a naiive programmer (don't try to deny
their existance) to run an arbitrary command from the page
viewer.
Perl has developed an interesting mechanism for
helping with this: taint. The way it works is, when something comes
directly from the user, like a key in a form, it is considered to have
taint unless specifically untainted. Things like os.exec() would
create a warning message if you passed tainted strings to
them.
As I said, this might just add unnecessary bloat, but for
an option that can be left out for most builds of Python I think it
would be pretty nice.
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=355470&aid=500698&group_id=5470