Bug#411786: more taint checking breakage, with ikiwiki
Niko Tyni
ntyni at debian.org
Mon Jan 25 20:31:12 UTC 2010
forwarded 411786 http://rt.perl.org/rt3/Ticket/Display.html?id=72360
thanks
On Tue, Feb 20, 2007 at 05:53:51PM -0500, Joey Hess wrote:
> Package: perl
> Version: 5.8.8-7
> Severity: normal
> use Scalar::Util;
> print STDERR "in tainted: ".Scalar::Util::tainted($file)."\n";
> $file=~s!/*[^/]+$!!;
> print STDERR "out tainted: ".Scalar::Util::tainted($file)."\n";
> in tainted: 0
> out tainted: 1
>
> So perl is randomly setting the taint flag.
>
> I've attached an 750 line test case in a tarball. Sorry that's not
> smaller or simpler, but I already boiled it down from the entirty of
> ikiwiki this. :-)
I was able to reduce this to
#!/usr/bin/perl -T
print "1..1\n";
package main;
use HTML::Parser;
use Scalar::Util q/tainted/;
use Encode;
my $p = HTML::Parser->new;
$p->parse($ENV{HOME});
$p->eof;
$f = decode_utf8("out/abc");
$f =~s!/*[^/]+$!!;
print Scalar::Util::tainted($f) ? "not ok 1\n" : "ok 1\n";
__END__
which is fixed with Perl 5.10.1; bisecting points at
http://perl5.git.perl.org/perl.git/commit/8433848b1
However, it turns out that the real problem is that a tainted $@
variable taints the substitution result, and the above change "just"
fixes a case of erroneous tainting of $@ in Perl_call_method() (triggered
in our testcase by XS parts of HTML::Parser).
This snippet still shows the bug on 5.10.1 and current bleadperl:
#!perl -T
use Scalar::Util q/tainted/;
eval { die $ENV{HOME} }; # taint errsv
$f = "out/abc\x{263A}";
print tainted($f), "\n";
$f =~s!/*[^/]+$!!;
print tainted($f), "\n";
__END__
so I've filed upstream ticket [perl #72360].
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list