
The Perl Jam 2: The Camel Strikes Back [32c3] - djent
https://www.youtube.com/watch?v=eH_u3C2WwQ0
======
raiph
Question from the Internet: "Does your exploit also work in tainted mode?"

Netanel Rubin: "No".

This simple "No" demonstrates the fundamental deception inherent in Netanel's
talk.

\----

From the Perl security document[1]:

> This flag [taint mode] is _strongly_ suggested for server programs and any
> program run on behalf of someone else, such as a CGI script.

\----

So:

1\. Any and all code, even in, say, Haskell, should typically take some
protective measure to counter the attack potential inherent in reading in
arbitrary unsafe user input.

2\. Perl provides a nice, simple, effective tool for dealing with this -- the
`-T` command line option that turns on taint mode.

3\. Netanel knows about this feature and could easily have mentioned and
suggested "Use Taint mode". But that would render his talk pointless...

[1]
[http://perldoc.perl.org/perlsec.html](http://perldoc.perl.org/perlsec.html)

