develooper Front page | perl.perl5.porters | Postings from April 2008

Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT)

Thread Previous
Paul Szabo
April 30, 2008 03:13
Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT)
Message ID:
Dear Rick et al,

>> 	PL_tainting |= (PL_uid && (PL_euid != PL_uid || PL_egid != PL_gid));
> ... the problem ... is that it turns tainting on.

When I was working with this code, I left that in place so as to be
"more secure" than previous versions: really to keep changes to a
minimum and a better likelyhood of them being accepted.

I do not think it is right to base taintedness on a comparison of UIDs:
prevents legitimate use of perl constructs from within setuid programs
(e.g. cannot do "perl -e 'stuff'" if a parent was setuid); and UID
checks do not trigger when root is running a setuid root script, so his
own test may be flawed. As commented, the UID checks should be changed
to "am now or came from suidperl"; and the perlsec page changed


Paul Szabo
School of Mathematics and Statistics   University of Sydney    Australia

Thread Previous Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About