Taint mode

Frédéric Buclin lpsolit at gmail.com
Mon Jul 27 12:50:25 UTC 2015

Le 27. 07. 15 12:57, Gervase Markham a écrit :
> At the last Bugzilla meeting, we discussed turning off taint mode, as
> it's a performance hit, keeps breaking 3rd party modules and provides
> marginal value now that we use placeholders properly and template escaping.

It's a performance hit based on which benchmarks? I suppose none has
been run against Bugzilla. If benchmarks have been run against Bugzilla,
then the results should be made public. For instance, Foswiki said that
they see a 10% boost with their code with taint mode disabled:


First of all, I would say that a 10% performance penalty is not that
much when talking about security. I don't know which 3rd-party modules
you are talking about, but we certainly don't "keep breaking" them. I
have been involved long enough to know that it's not true.

Secondly, about the use of placeholders and template escaping: we still
catch "insecure dependency" problems from time to time, thanks to
tainting being enabled. I agree, this is much less frequent than in the
past. But Search.pm doesn't use placeholders for its queries, so a SQL
code injection there would be annoying.

Each new release contains new code and this code is certainly not safer
than previous code. Humans still do errors in 2015. This is even more
true now that Bugzilla has an API which lets users interact with it
remotely. It's a new way to attack Bugzilla. Sure, the taint mode
doesn't make your code 100% safe, but it's one built-in security feature
that Perl has which we should use. And assuming you plan to only turn
off tainting on production installations, how would you keep it enabled
in development environments? You cannot simply turn a bit on/off. This
is an important point to consider.

To summarize: wanting to turn off the taint mode solely to make the code
faster is a mistake. In that case, there are better ways to make your
code much faster: replace Template Toolkit by Xslate. So I share the
same feeling as bbaetz here.

> Someone said a bug had been opened: is that right?

For bmo only: https://bugzilla.mozilla.org/show_bug.cgi?id=1186416


More information about the developers mailing list