develooper Front page | perl.perl5.porters | Postings from May 2013

[perl #114908] rename wrongly considered insecure in an elsif clause

Thread Next
From:
James E Keenan via RT
Date:
May 27, 2013 00:15
Subject:
[perl #114908] rename wrongly considered insecure in an elsif clause
Message ID:
rt-3.6.HEAD-2650-1369613732-660.114908-15-0@perl.org
On Fri Sep 14 10:24:05 2012, mhasch@cpan.org wrote:
> 
> This is a bug report for perl from mhasch@cpan.org,
> generated with the help of perlbug 1.39 running under perl 5.16.1.
> 
> 
> -----------------------------------------------------------------
> Perl seems to consider "rename" to be an insecure operation in
> taint mode if it happens to be called in an elsif clause chained
> after an if clause involving something tainted.  This seems to
> be the case in perl5.8.9, perl5.10.1, perl5.14.2 and perl5.16.1.
> 
> A test for this is attached below.  I thank Bram on #p5p for
> help in boiling down the test case.
> 

The "insecure dependency" message refers one to 'perlsec'.  I believe
the following is the relevant paragraph therefrom:

#####
You may not use data derived from outside your program to affect
something else outside your program--at least, not by accident.  All
command line arguments, environment variables, locale information (see
L<perllocale>), results of certain system calls (C<readdir()>,
C<readlink()>, the variable of C<shmread()>, the messages returned by
C<msgrcv()>, the password, gcos and shell fields returned by the
C<getpwxxx()> calls), and all file input are marked as "tainted".
Tainted data may not be used directly or indirectly in any command
that invokes a sub-shell, nor in any command that modifies files,
directories, or processes, B<with the following exceptions>:
#####

... and renaming a file does not appear in that list of exceptions.  My
guess is that, for good reason or bad, renaming in taint mode is
considered "any command that modifies files."  So this seems to be a
case of "works as designed" -- though perhaps the design is sub-optimal.

Thank you very much.
Jim Keenan


---
via perlbug:  queue: perl5 status: new
https://rt.perl.org:443/rt3/Ticket/Display.html?id=114908

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About