0

When untainting variables in Perl does all the untainting have to be done locally to the Perl (.pl) file or can it be passed through a Perl Module (.pm) to untaint?

For example, untainting may look something like this:

$string =~ /\A(.*)\z/s

(obviously it is a bad practice to blanket match-anything an input, this is just showing an example)

I'm wondering is it possible to pass it through a .pm since I want to execute against the same regex expression in multiple .pl files.

use myModule;

$string = myModule::myUntaint($string);

Where "myUntaint" is a subroutine within the .pm "myModule" that contains my regex.

SpenserAD
  • 3
  • 4
  • 2
    It should never look like `$string =~ /\A(.*)\z/s` or `myModule::myUntaint($string);`. It should validate the value. – ikegami Sep 16 '15 at 16:36
  • 2
    Have you tried this? I assume that because `CGI::Untaint` or `Untaint` exists, that it works. However for obvious reasons - you shouldn't just blanket untaint, because the whole point is to ensure any potentially dangerous input isn't any more. – Sobrique Sep 16 '15 at 16:36
  • Thanks for the input. I used `$string =~ /\A(.*)\z/s` as a quick example of untainting. It's obviously typically a horrendous practice to blanket match-anything when untainting. The `myUntaint()` subroutine in the myModule .pm would contain the proper regex to validate the value. – SpenserAD Sep 17 '15 at 17:09
  • I have tried this before and it appeared to work. Though I've also been able to somewhat 'trick' by taint mode before, so I wasn't 100% sure it was working properly. – SpenserAD Sep 17 '15 at 17:15

1 Answers1

0

Yes, you can have a subroutine in a module that takes a tainted parameter and returns an untainted expression derived from it.

But you shouldn't be using a generic match-anything expression like /\A(.*)\z/s for untainting. That defeats the purpose of tainting, which is to ensure that the value looks like what you were expecting before you use it. (But that has nothing to do with where the code that does the untainting lives.)

cjm
  • 61,471
  • 9
  • 126
  • 175
  • Thanks for the input. You're correct, one should rarely (never) do a blanket match-anything expression. That was written just as a quick example. – SpenserAD Sep 17 '15 at 17:07