Is Perl's taint mode useful?

More than that :) it stops your security issues before they become one. It is not a security silver bullet of course... we used to use it (a few years back when I was involved in Perl projects) in any script that was exposed externally (i.e. any mod_perl app) and we found it very useful and made it our policy. It does a few checks and it is handy.. (anything makes things automated)

Perl Security - perlsec recommends it strongly too:

This flag [Taint mode] is strongly suggested for server programs and any program run on behalf of someone else, such as a CGI script. Once taint mode is on, it's on for the remainder of your script.


Most definitely!

$ echo '`rm -rf /`' | perl -Te 'eval while <>'
Insecure dependency in eval while running with -T switch at -e line 1, <> line 1.

The "Secure Programming Techniques" chapter of Mastering Perl is almost completely devoted to taint checking and how you should use it.

Many people will tell you it protects you, but they subtly lie about that. It's a developer tool that helps you find some (only some) spots in your code where you need to be careful. It's not going to solve all of your security problems.

Tags:

Perl

Taint