Taint mode

Gervase Markham gerv at mozilla.org
Tue Jul 28 09:08:00 UTC 2015


On 27/07/15 13:50, Frédéric Buclin wrote:
> It's a performance hit based on which benchmarks? 

I agree we do need to run some, and I believe Dylan said he would. But
based on the experience of other people.

> First of all, I would say that a 10% performance penalty is not that
> much when talking about security. 

A 10% performance penalty is a lot when talking about anything.

> I don't know which 3rd-party modules
> you are talking about, but we certainly don't "keep breaking" them. I
> have been involved long enough to know that it's not true.

DateTime::TimeZone has broken at least once and possibly twice now
because they don't test with taint.

> Secondly, about the use of placeholders and template escaping: we still
> catch "insecure dependency" problems from time to time, thanks to
> tainting being enabled. I agree, this is much less frequent than in the
> past. But Search.pm doesn't use placeholders for its queries, so a SQL
> code injection there would be annoying.

One option might be to use a different method of enabling taint mode
(environment var?) so that people can enable it for development and
disable it for production.

> Each new release contains new code and this code is certainly not safer
> than previous code. Humans still do errors in 2015. 

I agree. The question is: how many of those errors does taint mode
actually catch? When was the last time you got a taint error, and it
actually turned out to be a potential security problem, as opposed to
e.g. running something through detaint_natural before making it the
placeholder value in an SQL query, which would be safe anyway?

Gerv



More information about the developers mailing list