develooper Front page | perl.perl5.porters | Postings from October 2003

[perl #24248] taint propagation regression, tests fail to spot this

Thread Next
From:
Nicholas Clark
Date:
October 21, 2003 03:43
Subject:
[perl #24248] taint propagation regression, tests fail to spot this
Message ID:
rt-24248-66206.0.414436189266354@rt.perl.org
# New Ticket Created by  Nicholas Clark 
# Please include the string:  [perl #24248]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org/rt2/Ticket/Display.html?id=24248 >



This is a bug report for perl from nick@ccl4.org,
generated with the help of perlbug 1.34 running under perl v5.8.1.


-----------------------------------------------------------------
[Please enter your report here]

Tony Finch brought this problem to my attention

I consider this to be critical because we have

1: A regression from 5.8.0 to 5.8.1
2: Our regression tests completely fail to spot this
3: Taint propagation seems to be broken in fairly fundamental ways.
   (How can $1 be tainted? How can a copy of $1 fail to get that taint?)

Consider these 4 variations of the same script untainting @ARGV:

0,2 match on $ARGV[0] directly, 1,3 match on a copy
0,1 interpolate $1 directly, 2,3 interpolate a copy

#!perl -T
{
  local $ENV{PATH} = "/bin";

  my $r = "foo";

  $ARGV[0] =~ /($r)/;

  my $c = "echo $1";
  system $c;
}
__END__
#!perl -T
{
  local $ENV{PATH} = "/bin";

  my $r = "foo";
 
  my $argv = $ARGV[0];
  $argv =~ /($r)/;

  my $c = "echo $1";
  system $c;
}
__END__
#!perl -T
{
  local $ENV{PATH} = "/bin";

  my $r = "foo";
 
  $ARGV[0] =~ /($r)/;

  my $l = $1;
  my $c = "echo $l";
  system $c;
}
__END__
#!perl -T
{
  local $ENV{PATH} = "/bin";

  my $r = "foo";
 
  my $argv = $ARGV[0];
  $argv =~ /($r)/;

  my $l = $1;
  my $c = "echo $l";
  system $c;
}
__END__

All 4 are semantically equivalent, yet:

$ perl5.8.0 -T t/taint0 foo
Insecure dependency in system while running with -T switch at t/taint0 line 10.
$ perl5.8.0 -T t/taint1 foo
foo
$ perl5.8.0 -T t/taint2 foo
foo
$ perl5.8.0 -T t/taint3 foo
foo

$ perl5.8.1 -T t/taint0 foo
Insecure dependency in system while running with -T switch at t/taint0 line 10.
$ perl5.8.1 -T t/taint1 foo
foo
$ perl5.8.1 -T t/taint2 foo
Insecure dependency in system while running with -T switch at t/taint2 line 11.
$ perl5.8.1 -T t/taint3 foo
foo

Hence there is a regression from 5.8.0 to 5.8.1 for taint2

It seems that

1: taint is not being picked up by the regexp engine when matching on a copy
   of $ARGV[0] (pre 5.8.0 bug)
2: taint is being wrongly propagated into a copy of $1 (new 5.8.1 bug)
   but isn't in $1 itself
3: we seem to have no regression tests dealing with this class of bugs

The interpolation into the regexp seems to be crucial here. Tony's original
interpolation was of a qr// regexp, but it seems that a plain string will
do.

(5.8.1 I tested with is release 5.8.1 - bug still present in today's maint)

Nicholas Clark

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=critical
---
Site configuration information for perl v5.8.1:

Configured by nick at Sun Oct 19 13:42:04 BST 2003.

Summary of my perl5 (revision 5.0 version 8 subversion 1) configuration:
  Platform:
    osname=linux, osvers=2.4.20, archname=i686-linux
    uname='linux penfold.unixbeard.net 2.4.20 #1 sat apr 5 03:15:50 bst 2003 i686 gnulinux '
    config_args='-Dusedevel=y -Dcc=ccache gcc -Dld=gcc -Ubincompat5005 -Uinstallusrbinperl -Dcf_email=nick@ccl4.org -Dperladmin=nick@ccl4.org -Dinc_version_list=  -Dinc_version_list_init=0 -Doptimize=-O3 -Dusethreads=n -Accccflags=-DPERL_COPY_ON_WRITE -Dinstallman1dir=none -Dinstallman3dir=none -Duseperlio -Dprefix=/usr/local/perl5.8.2-snap21489 -de'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='ccache gcc', ccflags ='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O3',
    cppflags='-fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='3.3.2 20031005 (Debian prerelease)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    libc=/lib/libc-2.3.2.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.3.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    MAINT21379

---
@INC for perl v5.8.1:
    lib
    /usr/local/perl5.8.2-snap21489/lib/5.8.1/i686-linux
    /usr/local/perl5.8.2-snap21489/lib/5.8.1
    /usr/local/perl5.8.2-snap21489/lib/site_perl/5.8.1/i686-linux
    /usr/local/perl5.8.2-snap21489/lib/site_perl/5.8.1
    /usr/local/perl5.8.2-snap21489/lib/site_perl
    .

---
Environment for perl v5.8.1:
    HOME=/home/nick
    LANG=C
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/nick/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/contrib/bin:/usr/games:/usr/sbin:/usr/ucb:/sbin:/usr/etc:/data3/src/emacs/bin/i386-unknown-bsdi2.1/
    PERL_BADLANG (unset)
    SHELL=/bin/bash


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About