develooper Front page | perl.perl5.porters | Postings from April 2013

[perl #117771] Encode::encode and Encode::decode gratuitously launders data

Thread Previous
Mark Martinec
April 26, 2013 16:44
[perl #117771] Encode::encode and Encode::decode gratuitously launders data
Message ID:
# New Ticket Created by  Mark Martinec 
# Please include the string:  [perl #117771]
# in the subject line of all future correspondence about this issue. 
# <URL: >

This is a bug report for perl from,
generated with the help of perlbug 1.39 running under perl 5.17.9.

[Please describe your issue here]

The result of Encode::encode or Encode::decode
is not tainted, even if given a tainted argument.

There is no excuse for such gratuitous laundering
of data. It subverts usefulness of Perl taint
protection mechanism and can open security holes
in applications using Encode which are unaware of
this bug (here is one example: [ #82294]).

The bug is not new and is not specific to recent
versions of perl or versions of the module Encode
(tested with Encode 2.48, 2.44, 2.42, ...).

Some more security conscious existing applications
are already jumping hoops providing a workaround,
but this is not something which an application
should be required to do.

The following test program illustrates the problem:

#!/usr/bin/perl -T
use strict;
use Encode qw(encode decode);
use Scalar::Util qw(tainted);

printf("Encode %s\n", Encode->VERSION);

my $str = "abc" . substr($ENV{PATH},0,0);  # tainted string
my $r;

$r = encode("ASCII", $str);
warn "encode laundering\n" if tainted($str) && !tainted($r);

$r = encode("UTF-8", $str);
warn "encode laundering\n" if tainted($str) && !tainted($r);

$r = decode("ISO-8859-1", $str);
warn "decode laundering\n" if tainted($str) && !tainted($r);

[Please do not change anything below this line]
Site configuration information for perl 5.17.9:

Configured by mark at Fri Mar  1 15:29:16 CET 2013.

Summary of my perl5 (revision 5 version 17 subversion 9) configuration:
    osname=freebsd, osvers=7.2-release-p2, archname=amd64-freebsd
    uname='freebsd 7.2-release-p2 freebsd 7.2-release-p2 #0: wed jul 15 15:45:26 cest 2009 amd64 '
    config_args='-Dusedevel -sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.17.9/mach -Dprivlib=/usr/local/lib/perl5/5.17.9 -Dman3dir=/usr/local/lib/perl5/5.17.9/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/5.17.9/mach -Dsitelib=/usr/local/lib/perl5/site_perl/5.17.9 -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/5.17.9/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none -Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.17.9/BSDPAN" -Doptimize=-O2 -fno-strict-aliasing -pipe -Ui_gdbm -Dusethreads=n -Dusemymalloc=n -Duse64bitint'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
    cc='cc', ccflags ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.17.9/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
    optimize='-O2 -fno-strict-aliasing -pipe',
    cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.17.9/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.2.1 20070719  [FreeBSD]', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-pthread -Wl,-E  -fstack-protector -L/usr/local/lib'
    libpth=/usr/lib /usr/local/lib
    libs=-lgdbm -lm -lcrypt -lutil
    perllibs=-lm -lcrypt -lutil
    libc=, so=so, useshrplib=true,
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='  -Wl,-R/usr/local/lib/perl5/5.17.9/mach/CORE'
    cccdlflags='-DPIC -fPIC', lddlflags='-shared  -L/usr/local/lib -fstack-protector'

Locally applied patches:

@INC for perl 5.17.9:

Environment for perl 5.17.9:
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PERL_BADLANG (unset)

Thread Previous Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About