develooper Front page | perl.perl5.porters | Postings from October 1999

Re: [BUG] taint seeps

Thread Previous
From:
Hugo
Date:
October 26, 1999 06:39
Subject:
Re: [BUG] taint seeps
Message ID:
199910261341.OAA15585@crypt.compulink.co.uk
In <E11g6B4-0007lP-00@taurus.cus.cam.ac.uk>, "M.J.T. Guy" writes:
:Hugo <hv@crypt.compulink.co.uk> wrote
:   [ about the leaking of taintedness ]
:
:I had always understood this as a feature, because Perl only does
:a very limited data flow analysis.    Specifically, once a tainted
:value has been encountered within an expression, all subsequent values
:generated in the expression are assumed to be tainted.

If that were the case, I would not expect the order of the key/value
pairs to affect the result. 

:Doing anything more complicated would be very expensive  -  presumably
:there'd have to be a separate taint flag for each subexpression or
:something.

That may be the problem, but I hope someone will have the tuits to
confirm that this is a deliberate design decision.

:And this _is_ documented, even if obliquely, in perlsec:
:
:                                               Any variable set
:to a value derived from tainted data will itself be tainted,
:even if it is logically impossible for the tainted data
:to alter the variable.

I think most people would perceive the 'variable' being 'set' here
as $object2->{untainted}, which is not in any way derived from
tainted data. Note that a simple hash assignment does not exhibit
the same problem:

  crypt% perl -Twe '%a = (tainted => $0, untainted => "test"); kill 0, $a{untainted}'
  Argument "test" isn't numeric in kill at -e line 1.
  crypt% 

Ah, perhaps you are right: while a hash assignment such as the above
doesn't seep, the same with an arrayref does:

  crypt% perl -Twe '$a = [$0, "test"]->[1]; kill 0, $a'
  Insecure dependency in kill while running with -T switch at -e line 1.
  crypt% 

.. so perhaps seeping is specific to lists wrapped into a reference
(though it doesn't appear to infect the keys of hashrefs).

I wish I had time to look into this more deeply though - it sure don't
seem right to me.

Hugo
Thread Previous

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About