Netscape and ActiveState To Cooperate on Development
Wednesday May 24th, 2000
#19 Re: /me is wary
Thursday May 25th, 2000 7:28 AM
You are replying to this message
Perl has a "taint" switch, whch basically stops your program from using any data obtained from an outside source (file, STDIN, Enviromental vars) to affect anything w/o "clearing" it first. For instance, you could not pass "rm -r -f *" directly to the system if you put it in a query string on a form -- you have to check the value in a regular expression (presumbly checking for such dangerous strings first). This is an old, old function of Perl, predating it's use as a CGI tool, and is quite robust. It won't save a stupid programmer by itself (you have to choose to use it), but it can _definitly_ help. Python, I would wager, has somthing similar. There is a "miniperl", as well, designed just for embedding. But I don't think it's too necessary to take a lot out -- most of the mass in in the libaries, which you'd simply pick and choose from. On my system, my perl binary directory is about 2 Megs, with the perl.exe being 50k. I have 20 Megs of libaries, but I have a LOT of extranous stuff.