[perl #122178] What untaints are needed for open FH,"<:encoding(UTF-8)",$path ?

# New Ticket Created by   
# Please include the string:  [perl #122178]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=122178 >



This is a bug report for perl from jim.avera@gmail.com,
generated with the help of perlbug 1.39 running under perl 5.14.2.


-----------------------------------------------------------------
#!/usr/bin/perl -T

# Question: What tained variables other then %ENV and @INC 
# can cause "Insecure dependency in require" ?
#
# Specifically, why does an open FH, "<:encoding(UTF-8)", $taintedpath
# fail if %ENV and @INC are clean?
#
# Thanks for any help or pointers!
# -Jim
#
# Here is the output I get from this script:
#  ENV: HOME => /home/jima
#  ENV: LANG => en_US.UTF-8
#  INC: /etc/perl
#  INC: /usr/local/lib/perl/5.14.2
#  INC: /usr/local/share/perl/5.14.2
#  INC: /usr/lib/perl5
#  INC: /usr/share/perl5
#  INC: /usr/lib/perl/5.14
#  INC: /usr/share/perl/5.14
#  INC: /usr/local/lib/site_perl
#  here we go...
#  Insecure dependency in require while running with -T switch ...
#  BEGIN failed--compilation aborted [but N.B. my script already started]

use strict; use warnings;
use Scalar::Util qw(tainted);
use Data::Dumper;

$ENV{PATH} = "/usr/bin:/bin";
foreach (sort keys %ENV) {
  delete $ENV{$_},next if /^([ABCDEFG]|HI|[IJK]|L[^A]|[MNO])/;
  delete $ENV{$_},next if /^(P[^A]|PA[^T])|[Q-Z_]/;
  $ENV{$_} = $1 if $ENV{$_} =~ /^([^;{}"`|&<>\n\r]*)$/;
}
foreach (sort keys %ENV) {
  die "tainted ENV{$_} = ",Dumper($ENV{$_}) if tainted($ENV{$_});
  warn "ENV: $_ => $ENV{$_}\n";
}
foreach (@INC) {
  die "tainted INC: ",Dumper($_) if tainted($_);
  warn "INC: $_\n";
}

chomp( my $path = `echo "/etc/passwd"` ); # tainted

# DIES HERE with "Insecure dependency in require"
print "here we go...\n";
open my $fh, "<:encoding(UTF-8)", $path or die "$path: $!";

print "Test passed (never gets here).\n";
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=none
---
Site configuration information for perl 5.14.2:

Configured by Debian Project at Thu Jul 18 22:04:35 UTC 2013.

Summary of my perl5 (revision 5 version 14 subversion 2) configuration:
   
  Platform:
    osname=linux, osvers=3.2.0-37-generic, archname=x86_64-linux-gnu-thread-multi
    uname='linux roseapple 3.2.0-37-generic #58-ubuntu smp thu jan 24 15:28:10 utc 2013 x86_64 x86_64 x86_64 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Dldflags= -Wl,-Bsymbolic-functions -Wl,-z,relro -Dlddlflags=-shared -Wl,-Bsymbolic-functions -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.14 -Darchlib=/usr/lib/perl/5.14 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.14.2 -Dsitearch=/usr/local/lib/perl/5.14.2 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.14.2 -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fstack-protector -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fstack-protector -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.8.1', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=, so=so, useshrplib=true, libperl=libperl.so.5.14.2
    gnulibc_version='2.17'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib -fstack-protector'

Locally applied patches:
    

---
@INC for perl 5.14.2:
    /home/jima/lib/perl
    /home/jima/perl5/lib/perl5/x86_64-linux-gnu-thread-multi
    /home/jima/perl5/lib/perl5/x86_64-linux-gnu-thread-multi
    /home/jima/perl5/lib/perl5
    /etc/perl
    /usr/local/lib/perl/5.14.2
    /usr/local/share/perl/5.14.2
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.14
    /usr/share/perl/5.14
    /usr/local/lib/site_perl
    .

---
Environment for perl 5.14.2:
    HOME=/home/jima
    LANG=en_US.UTF-8
    LANGUAGE=en_US
    LD_LIBRARY_PATH=/home/jima/local/lib
    LOGDIR (unset)
    PATH=/home/jima/perl5/bin:/home/jima/bin:/home/jima/local/bin:/home/jima/jima_tools/x86_64/bin:/home/jima/jima_tools/bin:/opt/Adobe/Reader9/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/bin/X11:/usr/local/bin:/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/games:/usr/local/games:/usr/lib/jvm/java-7-oracle/bin:/usr/lib/jvm/java-7-oracle/db/bin:/usr/lib/jvm/java-7-oracle/jre/bin:.
    PERL5LIB=/home/jima/lib/perl:/home/jima/perl5/lib/perl5/x86_64-linux-gnu-thread-multi:/home/jima/perl5/lib/perl5
    PERL_BADLANG (unset)
    PERL_LOCAL_LIB_ROOT=/home/jima/perl5
    PERL_MB_OPT=--install_base /home/jima/perl5
    PERL_MM_OPT=INSTALL_BASE=/home/jima/perl5
    SHELL=/bin/bash

• [perl #122178] What untaints are needed for open FH,"<:encoding(UTF-8)",$path ? by perlbug-followup
• Re: [perl #122178] What untaints are needed for openFH,"<:encoding(UTF-8)",$path ? by Dave Mitchell