develooper Front page | perl.perl5.porters | Postings from April 2013

Re: [perl #117771] Encode::encode and Encode::decode gratuitouslylaunders data

Thread Next
From:
Leon Timmermans
Date:
April 26, 2013 17:09
Subject:
Re: [perl #117771] Encode::encode and Encode::decode gratuitouslylaunders data
Message ID:
CAHhgV8hnYjzu7h68GFgbwvooFeij33Qgfst2uSVSDNCiAfaO-w@mail.gmail.com
On Fri, Apr 26, 2013 at 6:44 PM, Mark Martinec
<perlbug-followup@perl.org> wrote:
>
> The result of Encode::encode or Encode::decode
> is not tainted, even if given a tainted argument.
>
> There is no excuse for such gratuitous laundering
> of data. It subverts usefulness of Perl taint
> protection mechanism and can open security holes
> in applications using Encode which are unaware of
> this bug (here is one example: [rt.cpan.org #82294]).
>
> The bug is not new and is not specific to recent
> versions of perl or versions of the module Encode
> (tested with Encode 2.48, 2.44, 2.42, ...).
>
> Some more security conscious existing applications
> are already jumping hoops providing a workaround,
> but this is not something which an application
> should be required to do.
>
> The following test program illustrates the problem:
>
>
> #!/usr/bin/perl -T
> use strict;
> use Encode qw(encode decode);
> use Scalar::Util qw(tainted);
>
> printf("Encode %s\n", Encode->VERSION);
>
> my $str = "abc" . substr($ENV{PATH},0,0);  # tainted string
> my $r;
>
> $r = encode("ASCII", $str);
> warn "encode laundering\n" if tainted($str) && !tainted($r);
>
> $r = encode("UTF-8", $str);
> warn "encode laundering\n" if tainted($str) && !tainted($r);
>
> $r = decode("ISO-8859-1", $str);
> warn "decode laundering\n" if tainted($str) && !tainted($r);

Encode is maintained on CPAN, its bugtracker can be found at
https://rt.cpan.org/Dist/Display.html?Name=Encode. If it's fixed there
we'll pull the fixed version into core.

Leon

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About