Front page | perl.perl5.porters |
Postings from October 2003
On Sun, Oct 19, 2003 at 02:44:20PM -0000, Nicholas Clark wrote:
>
> I consider this to be critical because we have
>
> 1: A regression from 5.8.0 to 5.8.1
> 2: Our regression tests completely fail to spot this
> 3: Taint propagation seems to be broken in fairly fundamental ways.
Yes, indeed.
> (How can $1 be tainted? How can a copy of $1 fail to get that taint?)
>
> Consider these 4 variations of the same script untainting @ARGV:
>
> 0,2 match on $ARGV[0] directly, 1,3 match on a copy
> 0,1 interpolate $1 directly, 2,3 interpolate a copy
>
> #!perl -T
> {
> local $ENV{PATH} = "/bin";
>
> my $r = "foo";
>
> $ARGV[0] =~ /($r)/;
>
> my $c = "echo $1";
> system $c;
> }
> __END__
More variations (5.8.0, assuming script named "foo"):
#!perl -T
{
local $ENV{PATH} = "/bin";
my $r = "foo";
$0 =~ /($r)/;
my $c = "echo $1";
system $c;
}
__END__
foo
> {
> local $ENV{PATH} = "/bin";
>
> my $r = "foo";
>
> my $argv = $ARGV[0];
> $argv =~ /($r)/;
>
> my $c = "echo $1";
> system $c;
> }
> __END__
#!perl -T
{
local $ENV{PATH} = "/bin";
my $r = "foo";
my @argv = @ARGV;
$argv[0] =~ /($r)/;
my $c = "echo $1";
system $c;
}
__END__
Insecure dependency in system while running with -T switch at ./foo line 9.
#!perl -T
{
local $ENV{PATH} = "/bin";
my $r = "foo";
($a = $0) =~ /($r)/;
my $c = "echo $1";
system $c;
}
__END__
Insecure dependency in system while running with -T switch at ./foo line 8.
It appears that any expression more complicated than a simple scalar
variable is wrongly propagating its taint into the regexp. I don't know
if it's intended that a tainted regexp should taint $1 without
'use re "taint"' (I think that's reasonable) but that's another issue.
--
Rick Delaney
rick@bort.ca
Thread Previous
|
Thread Next