develooper Front page | perl.perl5.porters | Postings from August 2021

Re: Pre-RFC: Configure option for whether to include taint support

Thread Previous | Thread Next
Leon Timmermans
August 13, 2021 01:53
Re: Pre-RFC: Configure option for whether to include taint support
Message ID:
On Fri, Aug 13, 2021 at 12:27 AM Leon Timmermans <> wrote:

> On Fri, Aug 13, 2021 at 12:19 AM Neil Bowers <> wrote:
>> Back in 2012, Steffen Mueller did some experimenting and found that taint
>> adds somewhere between 10% and 20% runtime overhead:
>> As you can see, there was some discussion at that time, but it didn’t
>> seem to go anywhere. This has come up again as a result of the Quirks
>> document, and we discussed it in last week’s PSC meeting.
>> Anecdotally, very few people use taint (these days), yet we’re all paying
>> the price. Furthermore, taint causes problems on Windows. For example,
>> File::Spec is broken on Windows when used with Taint mode on, because Taint
>> mode restricts use of environment variables (which doesn't protect
>> anything). See also this reddit discussion[1], on the problems with taint.
>> We’d like to consider adding a Configure option for disabling taint mode.
>> We see this as a potential first step to having this disabled by default,
>> and then possibly removing support for taint entirely.
>> We’re interested in hearing thoughts on this.
>> Neil
>> [1]
> Using -DNO_TAINT_SUPPORT as Steffen mentioned you can already build such a
> perl. All we really need to do is add a Configure option so that it can
> easily be disabled and so that code (especially tests) can keep it into
> account.
> One open question is if SILENT_NO_TAINT_SUPPORT should be enabled along
> with it. I would argue it should, without it many tests will refuse to even
> start running.

Probably most of the work is making the test suite use that %Config option
to skip any tests depending on it.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About