| Chuck Adams on Thu, 28 Dec 2006 16:04:14 -0700 (MST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [s-d] dice server enhancements, part 2 |
On 12/28/06, Joel Uckelman <uckelman@xxxxxxxxx> wrote: > I don't see any way to do what I want with taint in Perl. All input is > tainted until I say it's not---but the problem is that I'm not sure > how to identify good input so I can untaint it. The simple answer: you don't untaint it at all. You're only doing mathematical operations, which are perfectly taint-safe. Anything that invokes a taint-unsafe operation like system() will die. You might possibly need to untaint just before you output, but that should be perfectly safe at that point. For something as simple as an expression language for random numbers though, I'd just go with something that can't be unsafe, like a lua with anything dangerous stripped out, rather than try to make a full-blown language runtime environment safe. I'm not even a big fan of lua, but it's a case where tiny and simple really does win. //s _______________________________________________ spoon-discuss mailing list spoon-discuss@xxxxxxxxx http://lists.ellipsis.cx/mailman/listinfo/spoon-discuss