develooper Front page | perl.perl5.porters | Postings from October 2005

[chris.heath@autoweb.net: Bug#303308: Patch for Perl untaint bug]

Thread Next
From:
Brendan O'Dea
Date:
October 28, 2005 23:07
Subject:
[chris.heath@autoweb.net: Bug#303308: Patch for Perl untaint bug]
Message ID:
20051029060721.GA32428@londo.c47.org
See: http://bugs.debian.org/303308 .

The issue described concerns $1 getting tainted when a __WARN__ handler
is called (undefined value) during the execution of an expression which
contains a tainted value.  After this point, $1 is always tainted.

From what I can tell, $1 is being tainted from Perl_save_re_context,
invoked prior to the warn subroutine being called.

The following patch appears to correct the problem, although I'm not
sufficiently versed in the taint implementation to say that it's the
correct fix.  An alternate fix is included in the bug report.

Thoughts?

--bod

[Test case from the bug report:]

#!/usr/bin/perl -Tw
$SIG{'__WARN__'} = sub {warn $_[0]};
my $tainted = substr($ENV{'PATH'}, 0, 0);
my $pat = "Testing %s\n" . $tainted;
"foo" =~ m/(.*)/;
my $foo = $1;
my $s = sprintf($pat, undef);  # << corrupts $1!!
"bar" =~ m/(.$tainted*)/;
my $bar = $1;
my $test = 'print "OK\n"' . $tainted;
$test =~ m/(.*)/;
$test = $1;   # try to untaint
eval($test);

[Patch:]

diff -ur ../perl-5.8.7.broken/scope.c ../perl-5.8.7/scope.c
--- ../perl-5.8.7.broken/scope.c	2005-01-20 10:56:27.000000000 +1100
+++ ../perl-5.8.7/scope.c	2005-10-29 15:55:08.697604021 +1000
@@ -210,6 +210,7 @@
 	if (SvGMAGICAL(osv)) {
 	    MAGIC* mg;
 	    bool oldtainted = PL_tainted;
+	    TAINT_NOT;
 	    mg_get(osv);		/* note, can croak! */
 	    if (PL_tainting && PL_tainted &&
 			(mg = mg_find(osv, PERL_MAGIC_taint))) {

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About