Plack & taint mode

Question

Is it recommended developing Plack applications (middlewares) with perl's taint mode?

If yes, how to start plackup and/or Starman in tainted mode? In the simple CGI script that was easily done with the shebang line.

Will perl -T /path/to/{plackup|starman} do the job? Or here is any recommended way? Or it is not recommended?

Any ideas, pointers, articles about the combination Plack+Taint mode?

Answer 1

We usually don't recommend people to develop Plack applications under the taint mode, simply because I personally don't believe in the usefulness of the taint mode.

Plack's core utilities such as plackup and Plack::Utli particularly don't play well with the taint mode because it needs to compile the given .psgi file as a source code. If you really want to develop your application under the taint mode, you have to bypass the plackup and use Plack::Handler or Plack::Loader.

Answer 2

it is simple to workaround the plackup util, i can give you a example for fastcgi but it should be posible to do the same with starman forgett about the the .psgi file and use a plain startup script:

my $app = sub {
    my $env = shift;
    #...
}
#read the pid file, check for an old process, kill the old process...
#...

#choose a psgi Server impl.
#i prefere fcgi 
my $manager = new FCGI::ProcManager::MaxRequests({
'max_requests'=>100,
'pid_fname'=>$pid_file,
'n_processes'=> 3,
'pm_title'=> $name
});
my $server = Plack::Handler::FCGI->new(
'listen'=>[$socket],
'detach' => 1,
'manager' => $manager

); #or use Plack::Loader to load a server

#run your application $server->run($app);

then start your startup.pl script with taintmode perl -T