develooper Front page | perl.perl5.porters | Postings from January 2004

[perl #25267] Tainting problem in AutoLoader.pm

Thread Previous | Thread Next
From:
Michael Yount
Date:
January 25, 2004 22:16
Subject:
[perl #25267] Tainting problem in AutoLoader.pm
Message ID:
rt-3.0.8-25267-72188.0.315521857692218@perl.org
# New Ticket Created by  Michael Yount 
# Please include the string:  [perl #25267]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org/rt3/Ticket/Display.html?id=25267 >


In AutoLoader.pm, the AUTOLOAD routine uses braces to preserve match
variables.  In taint mode on perl 5.8.0 and perl 5.8.1, this causes the
script to die with an "Insecure dependency in require" error during
autoloading if the $1 match variable was previously tainted.  

The problem occurs on line 53 of AutoLoader.pm:

  $filename =~ s#^(.*)$pkg\.pm\z#$1auto/$pkg/$func.al#s;

The tainted $1 variable taints the previously untainted $filename.

This behavior does not occur with perl 5.6.1 or earlier versions.

Michael

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About