Making Taint support optional in Perl

One of the changes to Perl that we're considering on p5p (the perl5-porters mailing list) is the removal of taint support. The first step towards that is to add a Configure option that lets you build a Perl without taint support.

In this post I'll explain what we're considering, and why. The purpose of this post is to let everyone beyond p5p know about this, and give you a chance to comment.

One of the themes for work being done on p5p is tidying up Perl — removing features that aren't widely used, or which turned out to be a bad idea. There are a number of reasons why we might do this:

  1. The feature confuses people who are new to the language.
  2. Removing the feature will improve performance.
  3. Removing the feature will simplify the internals and/or make it easier for other features to be added.

One such feature is taint mode. When taint mode is enabled, Perl runs various checks, such as ensuring that path directories aren't writable by others. In taint mode any data that came from outside your program, for example by reading it from a file, is marked as tainted. Any expression that involves tainted data is itself tainted. You can launder the data to remove the taint flag. See the section in perlsec for more details.

Support for taint mode adds a runtime overhead, that we think is on the order of 10% in some scenarios. This overhead affects all Perl programs, whether or not you're using taint mode.

If you're concerned about the security of your code, you're probably familiar with the OWASP top 10, and will be doing a lot more than taint provides. As a result we think very few people use taint mode. Therefore we think it is a candidate for removal from Perl.

The path we currently envisage is this:

  1. We will add a Configure option to Perl, to make it easy to build a perl without the taint overhead. By default Configure will enable taint.
  2. At some point later (likely at least 2 years) we will switch the default to not include taint support.
  3. At some further point in the future, we might remove taint support from the codebase.

We're interested to hear what people think about this. Maybe more of you use taint than we think, in which case we might stick on step 1 of the above plan. If you want to give feedback on this, add comments here or on reddit.

5 Comments

One scenario where taint checking is relevant are setuid scripts which might still exist. In that case, Perl silently activates taint checking, and in particular, does no longer examine the environment variables PERL5LIB and PERLLIB. May I suggest to keep that part of taint checking? This feature doesn't require a -T switch so it would not even have to be called "taint mode", but it is a decent safeguard against setuid scripts running user-supplied code. It doesn't affect performance either.

I'm the task leader for a group that develops web and database applications, and we have dozens of web applications that use and rely on taint mode. I want to say this is a horrible idea.

I would opt for a dedicated binary 'tperl' which has enabled taint mode by default. And a similar set of *.so libraries for Perl embedded environments such as Apache and PostgreSQL.

And yes, we also use taint mode on public facing websites as good practice.

Likewise we use taint in web applications whose code does not show up on CPAN. If taint were removed in later releases of Perl that would deny us an upgrade path to those releases. If you wish to remove taint please provide a feature guard so that the removal has to be explicitly requested. Thanks!

Leave a comment

About Neil Bowers

user-pic Perl hacker since 1992.