Chuck Adams on Thu, 28 Dec 2006 16:04:14 -0700 (MST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [s-d] dice server enhancements, part 2

On 12/28/06, Joel Uckelman <uckelman@xxxxxxxxx> wrote:
> I don't see any way to do what I want with taint in Perl. All input is
> tainted until I say it's not---but the problem is that I'm not sure
> how to identify good input so I can untaint it.

The simple answer: you don't untaint it at all.  You're only doing
mathematical operations, which are perfectly taint-safe.  Anything
that invokes a taint-unsafe operation like system() will die.  You
might possibly need to untaint just before you output, but that should
be perfectly safe at that point.

For something as simple as an expression language for random numbers
though, I'd just go with something that can't be unsafe, like a lua
with anything dangerous stripped out, rather than try to make a
full-blown language runtime environment safe.  I'm not even a big fan
of lua, but it's a case where tiny and simple really does win.

spoon-discuss mailing list