Re: [perl #17867] [bug] taint mode and instruction modifier

Michael G Schwern wrote:
> 
> On Sat, Oct 12, 2002 at 03:19:42AM -0400, Benjamin Goldberg wrote:
> > > Here's a strange behavior.
> > > Could you tell me wether it's a feature or not - I think it should be
> > > a bug.
> > >
> > > Under taint mode, using instruction modifiers does not get the same
> > > result as regular flow control instructions:
> > >
> > > $ perl -Tle '$cmd="print q(foo)";$cmd.=".q(bar)" if pop; eval $cmd' foo
> > > Insecure dependency in eval while running with -T switch at -e line 1.
> > > $ perl -Tle '$cmd="print q(foo)";if(pop){$cmd.=".q(bar)"} eval $cmd' foo
> > > foobar
> > >
> > > This behavior seems rather strange to me.
> >
> > Any time that you say
> >    EXPR1 if EXPR2;
> > , it's just as if you had said
> >    (EXPR2) and (EXPR1);
> >
> > If EXPR2 is tainted, the taint propogates into EXPR1.
> 
> Why does it do that?  EXPR1 isn't altered by EXPR2.  The only effect EXPR2
> can have on EXPR1 is whether or not its executed.  And no other control
> modifier propogates taintedness in that way.

Umm, err, now *that*, I don't have an answer to.  I'm just saying that
this behavior is merely an extension of previously known *and documented*
behavior.  From perldoc perlsec:

  Laundering and Detecting Tainted Data

    To test whether a variable contains tainted data, and whose use would
    thus trigger an "Insecure dependency" message, check your nearby CPAN
    mirror for the Taint.pm module, which should become available around
    November 1997. Or you may be able to use the following *is_tainted()*
    function.

        sub is_tainted {
            return ! eval {
                join('',@_), kill 0;
                1;
            };
        }

    This function makes use of the fact that the presence of tainted data
    anywhere within an expression renders the entire expression tainted. It
    would be inefficient for every operator to test every argument for
    taintedness. Instead, the slightly more efficient and conservative
    approach is used that if any tainted value has been accessed within the
    same expression, the whole expression is considered tainted.

-- 
my $n = 2; print +(split //, 'e,4c3H r ktulrnsJ2tPaeh'
.."\n1oa! er")[map $n = ($n * 24 + 30) % 31, (42) x 26]

• [perl #17867] [bug] taint mode and instruction modifier by Jerome Quelin
• Re: [perl #17867] [bug] taint mode and instruction modifier by Benjamin Goldberg
• Re: [perl #17867] [bug] taint mode and instruction modifier by Michael G Schwern
• Re: [perl #17867] [bug] taint mode and instruction modifier by Benjamin Goldberg
• Re: [perl #17867] [bug] taint mode and instruction modifier by Michael G Schwern