develooper Front page | perl.perl5.porters | Postings from August 2021

Re: Pre-RFC: Configure option for whether to include taint support

Thread Previous | Thread Next
From:
Leon Timmermans
Date:
August 12, 2021 22:28
Subject:
Re: Pre-RFC: Configure option for whether to include taint support
Message ID:
CAHhgV8ifJkJCgAP8ub039dpOyVjQDeNh16j9ODk0_7wcwRLbKQ@mail.gmail.com
On Fri, Aug 13, 2021 at 12:19 AM Neil Bowers <neilb@neilb.org> wrote:

> Back in 2012, Steffen Mueller did some experimenting and found that taint
> adds somewhere between 10% and 20% runtime overhead:
> https://www.nntp.perl.org/group/perl.perl5.porters/2012/10/msg193822.html
> As you can see, there was some discussion at that time, but it didn’t seem
> to go anywhere. This has come up again as a result of the Quirks document,
> and we discussed it in last week’s PSC meeting.
>
> Anecdotally, very few people use taint (these days), yet we’re all paying
> the price. Furthermore, taint causes problems on Windows. For example,
> File::Spec is broken on Windows when used with Taint mode on, because Taint
> mode restricts use of environment variables (which doesn't protect
> anything). See also this reddit discussion[1], on the problems with taint.
>
> We’d like to consider adding a Configure option for disabling taint mode.
> We see this as a potential first step to having this disabled by default,
> and then possibly removing support for taint entirely.
>
> We’re interested in hearing thoughts on this.
>
> Neil
>
> [1]
> https://www.reddit.com/r/perl6/comments/718z4o/taint_mode_for_perl_6/dnmu83i/
>

Using -DNO_TAINT_SUPPORT as Steffen mentioned you can already build such a
perl. All we really need to do is add a Configure option so that it can
easily be disabled and so that code (especially tests) can keep it into
account.

One open question is if SILENT_NO_TAINT_SUPPORT should be enabled along
with it. I would argue it should, without it many tests will refuse to even
start running.

Leon

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About