perl IO eventhandler for untainting strings

Question

How do I create an event handler in my Perl code to intercept all File/Directory/system-based calls, so that I can untaint input in a just-in-time fashion.

I have lots of IO access in my script, and I find adding manual code for untainting cumbersome.

Can this be done without need to install a third-party CPAN module?

Answer 1

You could try taking an aspect-oriented approach but it does require installing a CPAN module, Aspect.

To capture calls to a particular method / function, you define a pointcut (taken from the Aspect POD):

$pointcut = call qr/^Person::[gs]et_/; # defines a collection of events

Then define the code to take before the call:

$before = before {
  print "g/set will soon be called";
} $pointcut;

Although I'm not sure if the Aspect module allows you to trap calls to the CORE::* namespace.

Answer 2

How do expect to untaint general data? If you're just going to blindly accept everything despite its source, there's no point in using taint-checking.

You might want to read the "Secure Programming Techniques" chapter in Mastering Perl. I give quite a bit of advice for dealing with this sort of stuff. However, any good advice is going to be targeted at specific situations, not generalizations.