Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

petdance (2468)

petdance
  andy@petdance.com
http://www.perlbuzz.com/
AOL IM: petdance (Add Buddy, Send Message)
Yahoo! ID: petdance (Add User, Send Message)
Jabber: petdance@gmail.com

I'm Andy Lester, and I like to test stuff. I also write for the Perl Journal, and do tech edits on books. Sometimes I write code, too.

Journal of petdance (2468)

Wednesday February 04, 2004
01:45 AM

Test::Taint 0.01

[ #17198 ]
I just released Test::Taint 0.01 to CPAN. I stole most of it from Tom Phoenix' Taint module. I was going to base it on Dan Sugalski's Taint module, but I felt a pure Perl solution made more sense.

I was concerned about duplicating code, but the more I thought about it, it seems that Test::Taint really obviates both Taint distributions. It seems to me that the only time you would want to taint data would be in testing, which of course this covers. Thoughts?

Here's an example:

use Test::Taint tests=>4;
taint_checking_ok();        # We have to have taint checking on
my $id = "deadbeef";        # Dummy session ID
taint( $id );               # Simulate it coming in from the web
tainted_ok( $id );
$id = validate_id( $id );   # Your routine to check the $id
untainted_ok( $id );        # Did it come back clean?
ok( defined $id );

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • You do sometimes want to taint stuff outside of a test suite.

    For example, if you're pulling info from an web service or a database you (as the developer) might know that some fields can be trusted and some cannot.

    Taint the untrusted ones at the interface layer between your application and the data source, and then you can feel safe that any errors in your handling of potentially dangerous data will be caught by Perl.

    Make some sort of vague sense?