|
Erik Stephens
mod_python at 24ksoftware.com
Thu Mar 25 10:09:03 EST 2004
On Thu, 25 Mar 2004, Stephane Bortzmeyer wrote: > > Not that I'm aware other than best practices (i.e. keep up-to-date, > > proper configuration, don't trust user input, > ^^^^^^^^^^^^^^^^^^^^^^ > Speaking of this, I do not find in Python the equivalent of Perl's > -T switch. It is very useful to limit the risks of user-controlled > input. Is there something like this in Python? Doesn't look like there is such a thing. There seem to be some feature requests for it, though. I wonder if there is a simpler way than having to modify the language. Perl and Ruby seem to only care about tainted variables if the context is bad, like when used in a shell command. What if CGI script writers would have to untaint all user inputs up front? This would make it easier to plumb this feature in at a higher level, like mod_python, as opposed to the language level. Although, now that I think about it, if the taint/untaint interface is too annoying for programmers, then I'd imagine a lot of people would ignore it by doing the minimal amount of work to untaint everything. Maybe that's why the context-sensitive approach is better. It only squawks when it has to. Don't really know what my point is, just random thoughts I guess :) Best regards, Erik
|