develooper Front page | perl.perl5.porters | Postings from February 2015

[perl #123880] utf8::SWASHNEW messes taint state when $1,$2,$3 are tainted

Mark Martinec
February 19, 2015 11:23
[perl #123880] utf8::SWASHNEW messes taint state when $1,$2,$3 are tainted
Message ID:
# New Ticket Created by  Mark Martinec 
# Please include the string:  [perl #123880]
# in the subject line of all future correspondence about this issue. 
# <URL: >

This is a bug report for perl from,
generated with the help of perlbug 1.40 running under perl 5.20.1.

[Please describe your issue here]

The following program:

  #!/usr/bin/perl -T
  use strict;
  use re 'taint';
  $ENV{PATH} =~ /^(.)(.)(.)/;
  eval 'qr/\p{IsXDigit}/; printf("OK\n")'
    or die "Eval failed: $@\n";

  Eval failed: Insecure dependency in printf
    while running with -T switch at (eval 1) line 1.

(Replacing printf("OK\n") with something like 'use strict'
ends up with 'Insecure dependency in require'.)

This fails on 5.16.*, 5.18.* and 5.20.1, but seems to
be fixed in 5.20.2. (The 5.14.2 and 5.12.5 are fine too)

It is possibly related to [perl #122669], which
is also fixed in 5.20.2, although under 5.14.2
the #122669 fails but this one does not.

Regardless, seems prudent to localize $1, $2 and $3
in utf8::SWASHNEW so that it does not depend on
whether these global variables are tainted or not.

[Please do not change anything below this line]
Site configuration information for perl 5.20.1:

Configured by root at Wed Dec 17 20:24:38 UTC 2014.

Summary of my perl5 (revision 5 version 20 subversion 1) configuration:
    osname=freebsd, osvers=10.0-release, archname=amd64-freebsd-thread-multi
    uname='freebsd 10amd64-ws-default-job-01 10.0-release freebsd 10.0-release amd64 '
    config_args='-sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.20/mach -Dprivlib=/usr/local/lib/perl5/5.20 -Dman3dir=/usr/local/lib/perl5/5.20/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/mach/5.20 -Dsitelib=/usr/local/lib/perl5/site_perl -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/site_perl/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none -Dotherlibdirs=/usr/local/lib/perl5/site_perl/5.20:/usr/local/lib/perl5/site_perl/5.20/mach -Doptimize=-g -DDEBUGGING -Ui_gdbm -Dusemultiplicity=n -Duse64bitint -Dusethreads=y -Dusemymalloc=n'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
    cc='cc', ccflags ='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
    cppflags='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.2.1 Compatible FreeBSD Clang 3.3 (tags/RELEASE_33/final 183502)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-pthread -Wl,-E  -fstack-protector -L/usr/local/lib'
    libpth=/usr/lib /usr/local/lib /usr/include/clang/3.3 /usr/lib
    libs=-lm -lcrypt -lutil
    perllibs=-lm -lcrypt -lutil
    libc=, so=so, useshrplib=true,
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='  -Wl,-R/usr/local/lib/perl5/5.20/mach/CORE'
    cccdlflags='-DPIC -fPIC', lddlflags='-shared -L/wrkdirs/usr/ports/lang/perl5.20/work/perl-5.20.1 -L/usr/local/lib/perl5/5.20/mach/CORE -Wl,-rpath=/usr/local/lib/perl5/5.20/mach/CORE -lperl  -L/usr/local/lib -fstack-protector'

@INC for perl 5.20.1:

Environment for perl 5.20.1:
    LANG (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/bash Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About