develooper Front page | perl.perl5.porters | Postings from August 2014

Re: [perl #122424] Unicode::Collate gives incorrect cmp() valuesfor tainted strings

Thread Previous
Karl Williamson
August 17, 2014 04:57
Re: [perl #122424] Unicode::Collate gives incorrect cmp() valuesfor tainted strings
Message ID:
On 07/28/2014 08:16 AM, Philip Boulain (via RT) wrote:
> # New Ticket Created by  Philip Boulain
> # Please include the string:  [perl #122424]
> # in the subject line of all future correspondence about this issue.
> # <URL: >
> This is a bug report for perl from,
> generated with the help of perlbug 1.39 running under perl 5.14.2.
> -----------------------------------------------------------------
> [Please describe your issue here]
> Unicode::Collate's cmp() always returns zero when comparing
> tainted strings. getSortKey() seems to always return a minimal
> string for them.
> You can test this with a simple one-liner:
> $ perl -T -MScalar::Util -MUnicode::Collate -Mstrict -w -e 'my $x =
> <STDIN>; my $y = <STDIN>; print Scalar::Util::tainted($x) ? "x tainted\n" :
> "x not tainted\n"; print Unicode::Collate->new()->cmp($x, $y); print "\n";';
> a
> b
> x tainted
> 0
> (Type the 'a' and 'b'.)
> If you remove the -T option, you get the expected output:
> x not tainted
> -1
> There does not appear to be any documentation on
> Unicode::Collate's behaviour in taint mode.
> [Please do not change anything below this line]
> -----------------------------------------------------------------

I ran the one-liner on blead adn v5.20.0, and it gives the output you 
said is expected.  So this bug appears to have been fixed somewhere 
along the line.  (I haven't delved deeper to figure out how to get 
tainted input doing a bisect.)

Also, Unicode::Collate is maintained from CPAN, so tickets should be 
filed against it, not the Perl core.

I'm taking this ticket to remind me to close it in 7 days unless I hear 

Thread Previous Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About