Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

$AUTOLOAD is never tainted #8513

Closed
p5pRT opened this issue Jul 6, 2006 · 8 comments
Closed

$AUTOLOAD is never tainted #8513

p5pRT opened this issue Jul 6, 2006 · 8 comments

Comments

@p5pRT
Copy link

p5pRT commented Jul 6, 2006

Migrated from rt.perl.org#39733 (status was 'resolved')

Searchable as RT39733$
@p5pRT
Copy link
Author

p5pRT commented Jul 6, 2006

From rick@bort.ca

This is a bug report for perl from rick@​bort.ca,
generated with the help of perlbug 1.35 running under perl v5.8.8.

$AUTOLOAD appears to be unable to be tainted. This can be a
problem in a script like the following which should die the
same way on any input, but doesn't.

rick@​biff​:~/perl[33]% cat taintbug.pl
#!/usr/bin/perl -T

$m = shift;
main->$m;

sub ok { kill 0, $m }
sub AUTOLOAD { kill 0, $AUTOLOAD }
rick@​biff​:~/perl[34]% perl -T taintbug.pl ok
Insecure dependency in kill while running with -T switch at taintbug.pl line 6.
rick@​biff​:~/perl[35]% perl -T taintbug.pl not ok
rick@​biff​:~/perl[36]%

Flags​:
  category=core
  severity=high

Site configuration information for perl v5.8.8​:

Configured by Debian Project at Thu Apr 6 00​:35​:33 UTC 2006.

Summary of my perl5 (revision 5 version 8 subversion 8) configuration​:
  Platform​:
  osname=linux, osvers=2.6.16-1-vserver-amd64-k8, archname=x86_64-linux-gnu-thread-multi
  uname='linux athlon 2.6.16-1-vserver-amd64-k8 #2 smp wed mar 29 05​:33​:03 utc 2006 x86_64 gnulinux '
  config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.8.8 -Dsitearch=/usr/local/lib/perl/5.8.8 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib -Dlibperl=libperl.so.5.8.8 -Dd_dosuid -des'
  hint=recommended, useposix=true, d_sigaction=define
  usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
  useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
  use64bitint=define use64bitall=define uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2',
  cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include'
  ccversion='', gccversion='4.0.3 (Debian 4.0.3-1)', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -L/usr/local/lib'
  libpth=/usr/local/lib /lib /usr/lib
  libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
  perllibs=-ldl -lm -lpthread -lc -lcrypt
  libc=/lib/libc-2.3.6.so, so=so, useshrplib=true, libperl=libperl.so.5.8.8
  gnulibc_version='2.3.6'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches​:
 

@​INC for perl v5.8.8​:
  /etc/perl
  /usr/local/lib/perl/5.8.8
  /usr/local/share/perl/5.8.8
  /usr/lib/perl5
  /usr/share/perl5
  /usr/lib/perl/5.8
  /usr/share/perl/5.8
  /usr/local/lib/site_perl
  /usr/local/lib/perl/5.8.7
  /usr/local/share/perl/5.8.7
  /usr/local/lib/perl/5.8.4
  /usr/local/share/perl/5.8.4
  .

Environment for perl v5.8.8​:
  HOME=/home/rick
  LANG=en_US
  LANGUAGE=en_CA​:en_US​:en_GB​:en
  LC_COLLATE=C
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/usr/local/bin​:/bin​:/usr/bin​:/usr/X11R6/bin​:/home/rick/bin
  PERL_BADLANG (unset)
  SHELL=/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Jul 9, 2006

From rick@bort.ca

On Wed, Jul 05, 2006 at 10​:39​:59PM -0700, Rick Delaney wrote​:

rick@​biff​:~/perl[33]% cat taintbug.pl
#!/usr/bin/perl -T

$m = shift;
main->$m;

sub ok { kill 0, $m }
sub AUTOLOAD { kill 0, $AUTOLOAD }
rick@​biff​:~/perl[34]% perl -T taintbug.pl ok
Insecure dependency in kill while running with -T switch at taintbug.pl line 6.
rick@​biff​:~/perl[35]% perl -T taintbug.pl not ok
rick@​biff​:~/perl[36]%

Patch after .sig.

--
Rick Delaney
rick@​bort.ca

Inline Patch 
diff -pruN perl-current/gv.c perl-current-dev/gv.c
--- perl-current/gv.c	2006-06-13 15:29:11.000000000 -0400
+++ perl-current-dev/gv.c	2006-07-09 12:13:42.000000000 -0400
@@ -654,7 +654,6 @@ Perl_gv_autoload4(pTHX_ HV *stash, const
     sv_setpvn(varsv, packname, packname_len);
     sv_catpvs(varsv, "::");
     sv_catpvn(varsv, name, len);
-    SvTAINTED_off(varsv);
     return gv;
 }
 
diff -pruN perl-current/t/op/taint.t perl-current-dev/t/op/taint.t
--- perl-current/t/op/taint.t	2006-06-13 15:29:33.000000000 -0400
+++ perl-current-dev/t/op/taint.t	2006-07-09 14:34:33.000000000 -0400
@@ -17,7 +17,7 @@ use Config;
 use File::Spec::Functions;
 
 BEGIN { require './test.pl'; }
-plan tests => 249;
+plan tests => 251;
 
 $| = 1;
 
@@ -1185,3 +1185,22 @@ SKIP:
 	test $@ =~ /Insecure \$ENV/, 'popen neglects %ENV check';
     }
 }
+
+{
+    package AUTOLOAD_TAINT;
+    sub AUTOLOAD {
+        our $AUTOLOAD;
+        return if $AUTOLOAD =~ /DESTROY/;
+        if ($AUTOLOAD =~ /untainted/) {
+            main::ok(!main::tainted($AUTOLOAD), '$AUTOLOAD can be untainted');
+        } else {
+            main::ok(main::tainted($AUTOLOAD), '$AUTOLOAD can be tainted');
+        }
+    }
+
+    package main;
+    my $o = bless [], 'AUTOLOAD_TAINT';
+    $o->$TAINT;
+    $o->untainted;
+}
+

@p5pRT
Copy link
Author

p5pRT commented Jul 10, 2006

From @hvds

Rick Delaney <rick@​bort.ca> wrote​:
:On Wed, Jul 05, 2006 at 10​:39​:59PM -0700, Rick Delaney wrote​:
:> rick@​biff​:~/perl[33]% cat taintbug.pl
:> #!/usr/bin/perl -T
:>
:> $m = shift;
:> main->$m;
:>
:> sub ok { kill 0, $m }
:> sub AUTOLOAD { kill 0, $AUTOLOAD }
:> rick@​biff​:~/perl[34]% perl -T taintbug.pl ok
:> Insecure dependency in kill while running with -T switch at taintbug.pl line 6.
:> rick@​biff​:~/perl[35]% perl -T taintbug.pl not ok
:> rick@​biff​:~/perl[36]%
:
:Patch after .sig.

This should also be documented as a significant change for upgraders.

Hugo

@p5pRT
Copy link
Author

p5pRT commented Jul 10, 2006

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jul 31, 2006

From rick@bort.ca

Ping.

On Mon, Jul 10, 2006 at 01​:03​:00PM +0100, hv@​crypt.org wrote​:

Rick Delaney <rick@​bort.ca> wrote​:
:On Wed, Jul 05, 2006 at 10​:39​:59PM -0700, Rick Delaney wrote​:
:> rick@​biff​:~/perl[33]% cat taintbug.pl
:> #!/usr/bin/perl -T
:>
:> $m = shift;
:> main->$m;
:>
:> sub ok { kill 0, $m }
:> sub AUTOLOAD { kill 0, $AUTOLOAD }
:> rick@​biff​:~/perl[34]% perl -T taintbug.pl ok
:> Insecure dependency in kill while running with -T switch at taintbug.pl line 6.
:> rick@​biff​:~/perl[35]% perl -T taintbug.pl not ok
:> rick@​biff​:~/perl[36]%
:
:Patch after .sig.

This should also be documented as a significant change for upgraders.

I think a note in perldelta would be sufficient, yes?

--
Rick Delaney
rick@​bort.ca

@p5pRT
Copy link
Author

p5pRT commented Aug 1, 2006

From @hvds

Rick Delaney <rick@​bort.ca> wrote​:
:Ping.
:
:On Mon, Jul 10, 2006 at 01​:03​:00PM +0100, hv@​crypt.org wrote​:
:> Rick Delaney <rick@​bort.ca> wrote​:
:> :On Wed, Jul 05, 2006 at 10​:39​:59PM -0700, Rick Delaney wrote​:
:> :> rick@​biff​:~/perl[33]% cat taintbug.pl
:> :> #!/usr/bin/perl -T
:> :>
:> :> $m = shift;
:> :> main->$m;
:> :>
:> :> sub ok { kill 0, $m }
:> :> sub AUTOLOAD { kill 0, $AUTOLOAD }
:> :> rick@​biff​:~/perl[34]% perl -T taintbug.pl ok
:> :> Insecure dependency in kill while running with -T switch at taintbug.pl line 6.
:> :> rick@​biff​:~/perl[35]% perl -T taintbug.pl not ok
:> :> rick@​biff​:~/perl[36]%
:> :
:> :Patch after .sig.
:>
:> This should also be documented as a significant change for upgraders.
:
:I think a note in perldelta would be sufficient, yes?

Yes.

Hugo

@p5pRT
Copy link
Author

p5pRT commented Aug 2, 2006

From @rgarcia

On 09/07/06, Rick Delaney <rick@​bort.ca> wrote​:

rick@​biff​:~/perl[33]% cat taintbug.pl
#!/usr/bin/perl -T

$m = shift;
main->$m;

sub ok { kill 0, $m }
sub AUTOLOAD { kill 0, $AUTOLOAD }
rick@​biff​:~/perl[34]% perl -T taintbug.pl ok
Insecure dependency in kill while running with -T switch at taintbug.pl line 6.
rick@​biff​:~/perl[35]% perl -T taintbug.pl not ok
rick@​biff​:~/perl[36]%

Patch after .sig.

Thanks, applied as change #28649 (with a note in perldelta)

@p5pRT
Copy link
Author

p5pRT commented Aug 2, 2006

@rgs - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed Aug 2, 2006
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT