Making Taint support optional in Perl
One of the changes to Perl that we're considering on p5p (the perl5-porters mailing list) is the removal of taint support. The first step towards that is to add a Configure option that lets you build a Perl without taint support.
In this post I'll explain what we're considering, and why. The purpose of this post is to let everyone beyond p5p know about this, and give you a chance to comment.
One of the themes for work being done on p5p is tidying up Perl — removing features that aren't widely used, or which turned out to be a bad idea. There are a number of reasons why we might do this:
- The feature confuses people who are new to the language.
- Removing the feature will improve performance.
- Removing the feature will simplify the internals and/or make it easier for other features to be added.
One such feature is taint mode. When taint mode is enabled, Perl runs various checks, such as ensuring that path directories aren't writable by others. In taint mode any data that came from outside your program, for example by reading it from a file, is marked as tainted. Any expression that involves tainted data is itself tainted. You can launder the data to remove the taint flag. See the section in perlsec for more details.
Support for taint mode adds a runtime overhead, that we think is on the order of 10% in some scenarios. This overhead affects all Perl programs, whether or not you're using taint mode.
If you're concerned about the security of your code, you're probably familiar with the OWASP top 10, and will be doing a lot more than taint provides. As a result we think very few people use taint mode. Therefore we think it is a candidate for removal from Perl.
The path we currently envisage is this:
- We will add a Configure option to Perl, to make it easy to build a perl without the taint overhead. By default Configure will enable taint.
- At some point later (likely at least 2 years) we will switch the default to not include taint support.
- At some further point in the future, we might remove taint support from the codebase.
We're interested to hear what people think about this. Maybe more of you use taint than we think, in which case we might stick on step 1 of the above plan. If you want to give feedback on this, add comments here or on reddit.