SEI CERT Perl Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 3

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 1

...

Data

Rule

Filenames that are open only for reading

FIO01-PL. Do not operate on files that can be modified by untrusted users

Numbers that are used as an array index

IDS32-PL. Validate any integer that is used as an array index

Strings printed to standard output

IDS33-PL. Sanitize untrusted data passed across a trust boundary

...

Taint

...

mode

...

also

...

provides

...

a

...

handful

...

of

...

mechanisms

...

to

...

produce

...

untainted

...

data

...

from

...

tainted

...

data.

...

The

...

preferred

...

means

...

of

...

sanitizing

...

tainted

...

data

...

is

...

to

...

use

...

a

...

regex:

Code Block


{code:lang=perl}}
my $tainted        =  # initialized
my $regex          =  # data is sanitary if it satisfies this
   $tainted_data   =~ m{($regex)};
my $sanitized_data =  $1;
{code}

In

...

this

...

case,

...

the

...

sanitized

...

data

...

may

...

have

...

the

...

same

...

value

...

as

...

the

...

tainted

...

data,

...

but

...

data

...

harvested

...

from

...

a

...

regex

...

match

...

is

...

always

...

considered

...

to

...

be

...

untainted.

...

It

...

is

...

up

...

to

...

the

...

programmer

...

to

...

ensure

...

that

...

the

...

regex

...

will

...

only

...

match

...

sanitary

...

data.

...

There

...

are

...

other

...

ways

...

to

...

sanitize

...

tainted

...

data.

...

For

...

instance,

...

hash

...

keys

...

cannot

...

be

...

tainted,

...

so

...

using

...

tainted

...

data

...

as

...

the

...

key

...

to

...

a

...

hash

...

will

...

sanitize

...

it.

...

Perl

...

will

...

also

...

not

...

stop

...

tainted

...

data

...

from

...

being

...

sent

...

to

...

a

...

subroutine

...

or

...

method

...

referenced

...

by

...

a

...

variable,

...

as

...

in:

Code Block


{code:lang=perl}}
$obj->$method(@args);
{code}

or

{code:lang=perl}}

or

Code Block
$foo->(@args);
{code}

The specific issue of what data is tainted depends on the execution environment. For example, data read from a database may or may not be considered tainted. Perl's DBI module provides an optional TaintOut attribute. If set, then any data retrieved from a database will be considered tainted.

...