[perl #117771] Encode::encode and Encode::decode gratuitously launders data

# New Ticket Created by  Mark Martinec 
# Please include the string:  [perl #117771]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org:443/rt3/Ticket/Display.html?id=117771 >


This is a bug report for perl from Mark.Martinec@ijs.si,
generated with the help of perlbug 1.39 running under perl 5.17.9.


-----------------------------------------------------------------
[Please describe your issue here]

The result of Encode::encode or Encode::decode
is not tainted, even if given a tainted argument.

There is no excuse for such gratuitous laundering
of data. It subverts usefulness of Perl taint
protection mechanism and can open security holes
in applications using Encode which are unaware of
this bug (here is one example: [rt.cpan.org #82294]).

The bug is not new and is not specific to recent
versions of perl or versions of the module Encode
(tested with Encode 2.48, 2.44, 2.42, ...).

Some more security conscious existing applications
are already jumping hoops providing a workaround,
but this is not something which an application
should be required to do.

The following test program illustrates the problem:


#!/usr/bin/perl -T
use strict;
use Encode qw(encode decode);
use Scalar::Util qw(tainted);

printf("Encode %s\n", Encode->VERSION);

my $str = "abc" . substr($ENV{PATH},0,0);  # tainted string
my $r;

$r = encode("ASCII", $str);
warn "encode laundering\n" if tainted($str) && !tainted($r);

$r = encode("UTF-8", $str);
warn "encode laundering\n" if tainted($str) && !tainted($r);

$r = decode("ISO-8859-1", $str);
warn "decode laundering\n" if tainted($str) && !tainted($r);


[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=library
    severity=medium
    module=Encode
---
Site configuration information for perl 5.17.9:

Configured by mark at Fri Mar  1 15:29:16 CET 2013.

Summary of my perl5 (revision 5 version 17 subversion 9) configuration:
   
  Platform:
    osname=freebsd, osvers=7.2-release-p2, archname=amd64-freebsd
    uname='freebsd dorothy.ijs.si 7.2-release-p2 freebsd 7.2-release-p2 #0: wed jul 15 15:45:26 cest 2009 lesi@dorothy.ijs.si:usrobjusrsrcsysdorothy amd64 '
    config_args='-Dusedevel -sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.17.9/mach -Dprivlib=/usr/local/lib/perl5/5.17.9 -Dman3dir=/usr/local/lib/perl5/5.17.9/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/5.17.9/mach -Dsitelib=/usr/local/lib/perl5/site_perl/5.17.9 -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/5.17.9/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none -Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.17.9/BSDPAN" -Doptimize=-O2 -fno-strict-aliasing -pipe -Ui_gdbm -Dusethreads=n -Dusemymalloc=n -Duse64bitint'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.17.9/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
    optimize='-O2 -fno-strict-aliasing -pipe',
    cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.17.9/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.2.1 20070719  [FreeBSD]', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-pthread -Wl,-E  -fstack-protector -L/usr/local/lib'
    libpth=/usr/lib /usr/local/lib
    libs=-lgdbm -lm -lcrypt -lutil
    perllibs=-lm -lcrypt -lutil
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='  -Wl,-R/usr/local/lib/perl5/5.17.9/mach/CORE'
    cccdlflags='-DPIC -fPIC', lddlflags='-shared  -L/usr/local/lib -fstack-protector'

Locally applied patches:
    

---
@INC for perl 5.17.9:
    /usr/local/lib/perl5/5.17.9/BSDPAN
    /usr/local/lib/perl5/site_perl/5.17.9/mach
    /usr/local/lib/perl5/site_perl/5.17.9
    /usr/local/lib/perl5/5.17.9/mach
    /usr/local/lib/perl5/5.17.9
    .

---
Environment for perl 5.17.9:
    HOME=/root
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/bash

• Re: [perl #117771] Encode::encode and Encode::decode gratuitouslylaunders data by Leon Timmermans
• Re: [perl #117771] Encode::encode and Encode::decode gratuitously launders data by Mark Martinec
• [perl #117771] Encode::encode and Encode::decode gratuitously launders data by Mark Martinec