[perl #56058] LWP::Simple _get() function taints its arguments sometimes

# New Ticket Created by  perlbugs@ch.pkts.ca 
# Please include the string:  [perl #56058]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org/rt3/Ticket/Display.html?id=56058 >



This is a bug report for perl from perlbugs@ch.pkts.ca,
generated with the help of perlbug 1.35 running under perl v5.8.8.


-----------------------------------------------------------------
[Please enter your report here]

Untainting is not working in LWP::Simple?

I'm writing a short program that reads an RSS feed and downloads an article.
I'm using XML::RSS::Parser to process the RSS feed, and LWP::Simple to get it.
I've untainted the url, and checked it with tainted() from
Scalar::Util, but I'm still unable to download the article, despite
untainting it as best I know how.

The error message: 
Insecure dependency in connect while running with -T switch at
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/IO/Socket.pm line 115.

I've inserted debugging statements into LWP::Simple, and found that
_get() sometimes taints the data...?

Here is sample code:
-------------
#!/usr/bin/perl -wT
use strict;

use XML::RSS::Parser;
use LWP::Simple;
use Scalar::Util qw(tainted);

# Succeed (assuming this url is still valid):
process("http://www.mailinator.com/showmail.jsp?email=billgates&msgid=21924179");
print "\n";

my $p = XML::RSS::Parser->new;
my $feed = $p->parse_uri('http://www.mailinator.com/rss.jsp?email=billgates');
#my $feed = $p->parse_file('rss.jsp');
if (!defined $feed) { die("parse: ".($p->errstr)); }
my @list=$feed->query('//item');

# Fail:
process($list[0]->query('link')->text_content);

sub process {
  my $l=$_[0];
  print $l,"\n";

  # This does untaint the data:
  if ($l!~m/email=([a-z]+)&msgid=(\d+)/i) {
    die("Abnormal link for message: $l");
  }
  my $email=$1;
  my $msgid=$2;

  print "email=$email  msgid=$msgid\n";
  if (tainted($email)) { die("email is tainted"); }
  if (tainted($msgid)) { die("msgid is tainted"); }

  my $url="http://www.mailinator.com/showmail2.jsp?email=$1&msgid=$2";

  print "url=$url\n";
  if (tainted($url)) { die("url is tainted"); }

  # This dies with a taint error?!?
  my $content=get($url);

  #print $content;
}

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=medium
---
This perlbug was built using Perl v5.8.8 in the Red Hat build system.
It is being executed now by Perl v5.8.8 - Mon Jun  9 04:43:24 EDT 2008.

Site configuration information for perl v5.8.8:

Configured by Red Hat, Inc. at Mon Jun  9 04:43:24 EDT 2008.

Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
  Platform:
    osname=linux, osvers=2.6.18-53.1.19.el5xen, archname=i386-linux-thread-multi
    uname='linux xenbuilder4.fedora.phx.redhat.com 2.6.18-53.1.19.el5xen #1 smp tue apr 22 03:15:33 edt 2008 i686 i686 i386 gnulinux '
    config_args='-des -Doptimize=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -Dversion=5.8.8 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dinstallprefix=/usr -Dprefix=/usr -Darchname=i386-linux -Dvendorprefix=/usr -Dsiteprefix=/usr -Duseshrplib -Dusethreads -Duseithreads -Duselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dinc_version_list=5.8.7 5.8.6 5.8.5 -Dscriptdir=/usr/bin'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='4.1.2 20070925 (Red Hat 4.1.2-33)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.7.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.7'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -L/usr/local/lib'

Locally applied patches:
    

---
@INC for perl v5.8.8:
    /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.8
    /usr/lib/perl5/site_perl/5.8.7
    /usr/lib/perl5/site_perl/5.8.6
    /usr/lib/perl5/site_perl/5.8.5
    /usr/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.8
    /usr/lib/perl5/vendor_perl/5.8.7
    /usr/lib/perl5/vendor_perl/5.8.6
    /usr/lib/perl5/vendor_perl/5.8.5
    /usr/lib/perl5/vendor_perl
    /usr/lib/perl5/5.8.8/i386-linux-thread-multi
    /usr/lib/perl5/5.8.8
    .

---
Environment for perl v5.8.8:
    HOME=/home/croot
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH=/usr/arb/lib
    LOGDIR (unset)
    PATH=/usr/arb/bin:/home/croot/bin:/home/croot/bin/LINUX:/home/croot/pubbin/LINUX:/usr/depot/ccache-2.2/mybin:/usr/depot/distcc/mybin:/usr/local/bin:/bin:/usr/local/etc:/usr/sbin:/usr/ucb:/sbin:/usr/5bin:/usr/X11/bin:/usr/bin:/usr/bin/X11:/usr/bsd:/usr/ccs/bin:/usr/etc:/usr/games:/usr/lib:/usr/libexec:/usr/X11R6/bin:/usr/local/sbin:.
    PERL_BADLANG (unset)
    SHELL=/bin/csh

• [perl #56058] LWP::Simple _get() function taints its arguments sometimes by perlbug-followup
• Re: [perl #56058] LWP::Simple _get() function taints its arguments sometimes by Steve Peters