Bug#406205: libfile-find-rule-perl: Taint mode fails

Gunnar Wolf gwolf at gwolf.org
Wed Jan 10 00:50:47 CET 2007 

tag 406205 + upstream
severity 406205 minor
thanks

Wolfgang Schemmel dijo [Tue, Jan 09, 2007 at 04:17:38PM +0100]:
> On etch, the taint mode won't work:
> 
> $ perl -MFile::Find::Rule -Tle '$rule=File::Find::Rule->new->extras({ untaint => 1 })->start($ARGV[0]); while ($f = $rule->match ) { print $f; }' .
> Insecure dependency in chdir while running with -T switch at /usr/share/perl5/File/Find/Rule.pm line 591.
> 
> This _will_ render alls scripts, program and applications
> using taint mode and this module unusable.
> 
> The bug is listed at CPAN for about 2 months now:
> http://rt.cpan.org/Public/Bug/Display.html?id=20418
> However, the untainting in that patch is just a slob job.
> Mine does real untainting.

Umh... I'm not sure I like this. I think the taint mode _is_ working
correctly here - You are getting information from outside your
program's direct control (the result of getcwd), and that perfectly
qualifies as tainting. And, although you include a check against a
regular expression, AFAICT it's a pretty arbitrary one:

>      my $cwd = getcwd;
> +    # Untaint it
> +    if ( $cwd =~ qr|^([-+@\w./]+)$| ) {
> +        $cwd = $1;
> +    } else {
> +        die "Couldn't untaint \$cwd: [$cwd]";
> +    }

Many users (although it's against the Unix culture) use spaces inside
files and directories (i.e. many of my users have their "My Documents"
Windows directory backed up in my server). Or filenames with all kinds
of diacritical marks on them, which would fail your test. But still,
you are not untainting the information - you are just giving a
hopefully correct pattern, still subject to containing wrong
information.

If anything, I would recommend changing the module's behaviour in a
way that the user should specify that he _knows_ some taintedness will
enter this way (although very probably benign, system-generated
taintedness), i.e., invoking this way (for the documentation's first
example):

my @subdirs = File::Find::Rule->directory(untaint=>1)->in( $directory );

PS- I'm following up this report to the upstream bug you mentioned, as
it belongs to upstream development and not in Debian.

Greetings,

-- 
Gunnar Wolf - gwolf at gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF

More information about the pkg-perl-maintainers mailing list