Plack & taint mode
Asked Answered
R

2

11

Is it recommended developing Plack applications (middlewares) with perl's taint mode?

If yes, how to start plackup and/or Starman in tainted mode? In the simple CGI script that was easily done with the shebang line.

Will perl -T /path/to/{plackup|starman} do the job? Or here is any recommended way? Or it is not recommended?

Any ideas, pointers, articles about the combination Plack+Taint mode?

Reinold answered 29/5, 2011 at 8:37 Comment(0)
D
7

We usually don't recommend people to develop Plack applications under the taint mode, simply because I personally don't believe in the usefulness of the taint mode.

Plack's core utilities such as plackup and Plack::Utli particularly don't play well with the taint mode because it needs to compile the given .psgi file as a source code. If you really want to develop your application under the taint mode, you have to bypass the plackup and use Plack::Handler or Plack::Loader.

Deplane answered 29/5, 2011 at 19:15 Comment(1)
agree with not running starman (as a production server) under tainted mode, but IMHO in the development is a good practice writing apps what are taint safe - so, every possible user input is matched against a regex. I'm using taint mode as a warning: beware here is an unsafe variable. Anyway, thank you for the answer. ;)Reinold
H
1

it is simple to workaround the plackup util, i can give you a example for fastcgi but it should be posible to do the same with starman forgett about the the .psgi file and use a plain startup script:

my $app = sub {
    my $env = shift;
    #...
}
#read the pid file, check for an old process, kill the old process...
#...

#choose a psgi Server impl.
#i prefere fcgi 
my $manager = new FCGI::ProcManager::MaxRequests({
'max_requests'=>100,
'pid_fname'=>$pid_file,
'n_processes'=> 3,
'pm_title'=> $name
});
my $server = Plack::Handler::FCGI->new(
'listen'=>[$socket],
'detach' => 1,
'manager' => $manager

); #or use Plack::Loader to load a server

#run your application $server->run($app);

then start your startup.pl script with taintmode perl -T

Hauge answered 1/7, 2012 at 17:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.