develooper Front page | perl.perl5.porters | Postings from October 2003

Re: [perl #24248] taint propagation regression, tests fail to spot this

Thread Previous | Thread Next
From:
Rick Delaney
Date:
October 21, 2003 21:49
Subject:
Re: [perl #24248] taint propagation regression, tests fail to spot this
Message ID:
20031022004907.A2233@biff.bort.ca
On Sun, Oct 19, 2003 at 02:44:20PM -0000, Nicholas Clark wrote:
> 
> I consider this to be critical because we have
> 
> 1: A regression from 5.8.0 to 5.8.1
> 2: Our regression tests completely fail to spot this
> 3: Taint propagation seems to be broken in fairly fundamental ways.

Yes, indeed.

>    (How can $1 be tainted? How can a copy of $1 fail to get that taint?)
> 
> Consider these 4 variations of the same script untainting @ARGV:
> 
> 0,2 match on $ARGV[0] directly, 1,3 match on a copy
> 0,1 interpolate $1 directly, 2,3 interpolate a copy
> 
> #!perl -T
> {
>   local $ENV{PATH} = "/bin";
> 
>   my $r = "foo";
> 
>   $ARGV[0] =~ /($r)/;
> 
>   my $c = "echo $1";
>   system $c;
> }
> __END__

More variations (5.8.0, assuming script named "foo"):

#!perl -T
{
    local $ENV{PATH} = "/bin";
    my $r = "foo";
    $0 =~ /($r)/;

    my $c = "echo $1";
    system $c;
}
__END__
foo


> {
>   local $ENV{PATH} = "/bin";
> 
>   my $r = "foo";
>  
>   my $argv = $ARGV[0];
>   $argv =~ /($r)/;
> 
>   my $c = "echo $1";
>   system $c;
> }
> __END__

#!perl -T
{
    local $ENV{PATH} = "/bin";
    my $r = "foo";
    my @argv =  @ARGV;
    $argv[0] =~ /($r)/;

    my $c = "echo $1";
    system $c;
}
__END__
Insecure dependency in system while running with -T switch at ./foo line 9.


#!perl -T
{
    local $ENV{PATH} = "/bin";
    my $r = "foo";
    ($a = $0) =~ /($r)/;

    my $c = "echo $1";
    system $c;
}
__END__
Insecure dependency in system while running with -T switch at ./foo line 8.

It appears that any expression more complicated than a simple scalar
variable is wrongly propagating its taint into the regexp.  I don't know 
if it's intended that a tainted regexp should taint $1 without 
'use re "taint"' (I think that's reasonable) but that's another issue.

-- 
Rick Delaney
rick@bort.ca

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About