On Sun, Oct 19, 2003 at 02:44:20PM -0000, Nicholas Clark wrote: > > I consider this to be critical because we have > > 1: A regression from 5.8.0 to 5.8.1 > 2: Our regression tests completely fail to spot this > 3: Taint propagation seems to be broken in fairly fundamental ways. Yes, indeed. > (How can $1 be tainted? How can a copy of $1 fail to get that taint?) > > Consider these 4 variations of the same script untainting @ARGV: > > 0,2 match on $ARGV[0] directly, 1,3 match on a copy > 0,1 interpolate $1 directly, 2,3 interpolate a copy > > #!perl -T > { > local $ENV{PATH} = "/bin"; > > my $r = "foo"; > > $ARGV[0] =~ /($r)/; > > my $c = "echo $1"; > system $c; > } > __END__ More variations (5.8.0, assuming script named "foo"): #!perl -T { local $ENV{PATH} = "/bin"; my $r = "foo"; $0 =~ /($r)/; my $c = "echo $1"; system $c; } __END__ foo > { > local $ENV{PATH} = "/bin"; > > my $r = "foo"; > > my $argv = $ARGV[0]; > $argv =~ /($r)/; > > my $c = "echo $1"; > system $c; > } > __END__ #!perl -T { local $ENV{PATH} = "/bin"; my $r = "foo"; my @argv = @ARGV; $argv[0] =~ /($r)/; my $c = "echo $1"; system $c; } __END__ Insecure dependency in system while running with -T switch at ./foo line 9. #!perl -T { local $ENV{PATH} = "/bin"; my $r = "foo"; ($a = $0) =~ /($r)/; my $c = "echo $1"; system $c; } __END__ Insecure dependency in system while running with -T switch at ./foo line 8. It appears that any expression more complicated than a simple scalar variable is wrongly propagating its taint into the regexp. I don't know if it's intended that a tainted regexp should taint $1 without 'use re "taint"' (I think that's reasonable) but that's another issue. -- Rick Delaney rick@bort.caThread Previous | Thread Next