Front page | perl.perl5.porters |
Postings from March 2008
Hello,
To solve a particular problem I came across something that behaves as
documented but that could (or could not) be considered a bit 'strange'.
What I was trying to do was (by using Taint::Util and Taint::Runtime):
- Enable taint mode,
- Taint a scalar ($s1),
- Disable taint mode,
- Make a new scalar ($s2 = "foo $1 bar") which contains the taint'ed scalar,
(- Enable taint mode,)
- Check if $s2 is tainted,
- If it is tainted produce a warning,
(- Disable taint mode,)
- Continue as normal
The result: the second scalar ($s2) isn't tainted because taint mode
wasn't enabled when the new scalar was created.
I got it to be tainted by removing the 'if(PL_tainting)' check from
SvTAINTED_on(sv), SvTAINTED_off(sv), SvTAINT(sv) (in sv.h)
The reason for all this: several places in our code base are using
user/database-input in an unsafe way.
(Enabeling taint mode at this point is not a real option since it will
make the code die until all unsafe things are fixed.
The code base however is quite large (and obviously messy) so changing
everything can't be done in a short time period, but has to be done
over time.)
While playing with this I came across behaviour that could or could
not be considered 'strange':
#!/usr/bin/perl -l
print ${^TAINT};
$<=1001;
print ${^TAINT};
my $foo = <STDIN>;
system "echo $foo"
==> The output of this is: Insecure dependency in system while running setuid
#!/usr/bin/perl -l
print ${^TAINT};
my $foo = <STDIN>;
$<=1001;
print ${^TAINT};
system "echo $foo"
==> The output of this is whatever was inputed for <STDIN>.
==> The reason for this is that at the time the scalar was created
taint mode wasn't enabled so therfor the scalar is not tainted.
When I run the code on my patched-perl (patch against 5.8.8 attached -
sorry, no blead installed atm):
#!/usr/bin/perl -l
print ${^TAINT};
$<=1001;
print ${^TAINT};
my $foo = <STDIN>;
system "echo $foo"
==> Insecure $ENV{PATH} while running setuid at t1.pl
#!/usr/bin/perl -l
print ${^TAINT};
my $foo = <STDIN>;
system "echo $foo"
==> The output of this is whatever was inputed for <STDIN>.
So basically what I'm asking:
a) Is there a reason why SvTAINTED_on, SvTAINTED_off and SvTAINT check
if taint mode is enabled and
b) wouldn't it make more sense to always set the taint flag and only
check if taint mode is enabled when 'executing' the commands since it
can be enabled or disabled while running the code (chaning $<, using
Taint::Runtime, ...)?
(All tests still pass after applying the patch - only one test fails
in Taint::Util but that is expected)
(The patch attached is only meant for testing, if it gets applied then
a small doc patch is also needed)
Kinds regards,
Bram
Thread Next