Is Perl's taint mode useful?

Question

perl -T

Do you use it? Does it help you finding security holes in your Perl scripts?

Answer 1

I think taint mode would work best when new code is being developed that everyone is familiar with.

If you have someone else's code that is poorly written, and you run it in Taint mode -- perl will die rather than perform what by the tainting rules are 'unsafe' operations.

In taint mode perl some holes are patched but not all. system("$unfiltered_user_input") will die but Perl could still write $unfiltered_user_input data to a file with a fixed name (because printing tainted data is considered 'safe') and then execute that file with system(). But nothing can check everything.

There's a tradeoff there for using it on legacy apps. When Perl finds an unsafe operation on tainted data it will die -- which means someone must go in and decide what it means to untaint the data, what regexp are needed, before the application will be reliable again.

Some people would prefer insecure, reliable, low cost (for now) to -- secure, broken, need to find the developers. Not that thats good in the long run... but it is not unusual.