 
                            Perl provides a feature called 'taint mode' , which is a simple model for detecting data flow vulnerabilities such as SQL injection. When active, all scalar values are associated with a taint flag, and so they can be considered '"tainted' " or '"untainted'." Taint can propagate from variables to other variables in an expression...taint expression—taint is associated with a value, not a particular variable. The Perl interpreter will issue issues a fatal error if any tainted variable is used in certain operations, such as invoking the system() function. Finally, there are a few ways you can sanitize tainted data, thereby removing the taint.
...
If taint mode detects untainted data being used in a manner it deems insecure, it aborts the program. This is an improvement in security, as it is better for a program to crash than to reveal sensitive info, information or allow arbitrary code execution. However, many programs, such as Web web servers, may run in environments where a crash is unacceptable. The taint mode can be configured to emit a warning rather than a fatal error, but this practice is not recommended , as because it can permit behavior worse than a crash. Consequently, taint mode is best viewed as a testing tool , for verifying code before putting it into production use.
Taint mode is an example of a dynamic analysis tool, which is a tool that provides useful information about a program while it runs. Taint mode has the usual advantages and disadvantages of dynamic analysis tools. It does not produce false positives; it only emits errors only when tainted data is used in a manner it considers insecure, and therefore its messages warrant attention and demand a fix. It imposes a minor performance penalty from doing taint checks. Finally, it checks only checks code that actually runs. If a program is run in taint mode , and happens to never execute one particular file, than then that file may still contain dataflow vulnerabilities.
Taint mode has a very simple model of what data is tainted, when tainted data becomes untainted, and what operations may not be performed on tainted data. This model is sufficient for some programs , but not for others. Taint mode forbids tainted data from being passed to a command interpreter (such as system()) , or a file opened for writing (via open() or rename()). However, taint mode does not prevent tainted data from being used in certain other contexts, some of which are forbidden by various CERT rules:
| Data | Rule | 
|---|---|
| Filenames File names that are open only for reading | FIO01-PL. Do not operate on files that can be modified by untrusted users | 
| Numbers that are used as an array index | IDS32-PL. Validate any integer that is used as an array index | 
| Strings printed to standard output | IDS33-PL. Sanitize untrusted data passed across a trust boundary | 
...
In this case, the sanitized data may have the same value as the tainted data, but data harvested from a regex match is always considered to be untainted. It is up to the programmer to ensure that the regex will match only match sanitary data.
There are other ways to sanitize tainted data. For instance, hash keys cannot be tainted, so using tainted data as the key to a hash will sanitize it. Perl will also not stop tainted data from being sent to a subroutine or method referenced by a variable, as in:
...
Consequently, taint mode may be used for certain Perl scripts , and is required for some. All scripts with the setuid or setgid bit set run with taint mode. It should be used during testing and quality assurance. It will not detect all potential dataflow vulnerabilities, and it is critical to know when taint mode can be relied upon, on and when it cannot. The following is an example of a vulnerable program that cannot rely on taint mode.
...
Taint mode assumes a simple model...: all data is either tainted or untainted. While Although this assumption is useful for some applications, it is not sufficient for web-based security. Consider this noncompliant code example, from IDS33-PL. Sanitize untrusted data passed across a trust boundary:
...
This example contains a CGI form that prompts the user for a name and, and when given, displays the name on the page. Like all web forms, it also takes a URL argument indicating what link to visit when the user clicks Submit. Lines A, B, and C all involve tainted data being printed to standard output, from which it is used to render a webpageweb page.
- Line A contains the URL to visit. This URL will include all arguments, including the name. The CGI::start_formsanitizes the URL in a suitable manner , so that it may be visited , and will appear in the ' Address ' bar of a web browser.
- Line B contains the user's name. The CGI::textfield()method escapes text in a manner suitable for displaying in a text field.
- Line C again contains the user's name , but with no sanitization. This permits a an XSS vulnerability, as described in IDS33-PL. It is recommended that this text should be sanitized using the CGI::escapeHTML()method , in order to be safely displayed in a web page.
All three lines provide different contexts for their unsanitized data, and so each line requires a different type of sanitization. Applying one sanitization method to the wrong line is likely to leave the data improperly sanitizied, sanitized and subject to a potential injection attack.
Because taint mode does not distinguish between different contexts, it cannot discern that text sanitized for a URL should not be provided to a text field, and vice versa. Therefore, we do not recommend using taint mode for scripts that interact with the web.
Risk Assessment
| Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| IDS01-PL | Medium | Probable | Medium | P8 | L2 | 
Bibliography
| [Birzneiks 1998] | Birznieks, Gunther, "CGI/Perl Taint Mode FAQ, Version 1.0," | 
|---|
...
| June 3, 1998 | |
|---|---|
| [CPAN] | Bunce, Tim, DBI | 
| [CPAN] | Stosberg, Mark, CGI | 
| [Lester 2006] | Lester, Andy | 
...
...
| O'Reilly OULamp.com | 
...
| , November 17, 2006 | 
...
...
...
| Stack 2010] | 
...
...
2010 10:56
...