Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

$_[0]=~/str/g does not move pos and is true forever when $_[0] is tainted #11204

Closed
p5pRT opened this issue Mar 22, 2011 · 5 comments
Closed

$_[0]=~/str/g does not move pos and is true forever when $_[0] is tainted #11204

p5pRT opened this issue Mar 22, 2011 · 5 comments
Labels
distro-freebsd type-regex

Comments

@p5pRT
Copy link

p5pRT commented Mar 22, 2011

Migrated from rt.perl.org#86784 (status was 'resolved')

Searchable as RT86784$
@p5pRT
Copy link
Author

p5pRT commented Mar 22, 2011

From Mark.Martinec@ijs.si

Created by Mark.Martinec@ijs.si

The following test case loops forever
when given a tainted string to operate on​:

perl -Te 'sub x { while ($_[0] =~ /test/g) { printf("str=%s, pos=%s\n", $_[0], pos $_[0]) } }; x("atested".substr($0,0,0))'
str=atested, pos=
str=atested, pos=
str=atested, pos=
str=atested, pos=
str=atested, pos=
str=atested, pos=
str=atested, pos=
str=atested, pos=

The same code works correctly without -T or with untainted argument of x()​:

$ perl -e 'sub x { while ($_[0] =~ /test/g) { printf("str=%s, pos=%s\n", $_[0], pos $_[0]) } }; $t = "atested test".$0; x($t)'
str=atested test-e, pos=5
str=atested test-e, pos=12

Copying $_[0] to a temporary variable and letting the '=' operate
on a copy avoids the problem. Similarly, working through
a ref​: $s=\$_[0]; while ($$s = /test/g)... avoids the problem.

At least the following versions of perl seem to be affected​:
  5.8.8, 5.10.1 5.12.3;
the version 5.13.10 works correctly.

The code above has been distilled from SpamAssassin's
plugin OneLineBodyRuleType.pm, which falls into a loop
under certain circumstances. Thanks to Matt Elson for
the initial investigation.

Perl Info 

Flags:
    category=core
    severity=high

Site configuration information for perl 5.12.3:

Configured by mark at Wed Mar 16 18:52:51 CET 2011.

Summary of my perl5 (revision 5 version 12 subversion 3) configuration:
   
  Platform:
    osname=freebsd, osvers=8.2-release, archname=amd64-freebsd
    uname='freebsd neli.ijs.si 8.2-release freebsd 8.2-release #0: fri feb 25 17:19:30 cet 2011 mark@neli.ijs.si:usrobjusrsrcsysneli amd64 '
    config_args='-sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.12.3/mach -Dprivlib=/usr/local/lib/perl5/5.12.3 -Dman3dir=/usr/local/lib/perl5/5.12.3/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/5.12.3/mach -Dsitelib=/usr/local/lib/perl5/site_perl/5.12.3 -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/5.12.3/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none -Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.12.3/BSDPAN" -Doptimize=-O2 -pipe -fno-strict-aliasing -Ui_gdbm -Dusethreads=n -Dusemymalloc=n -Duse64bitint'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.12.3/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
    optimize='-O2 -pipe -fno-strict-aliasing',
    cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.12.3/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.2.1 20070719  [FreeBSD]', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -Wl,-E  -fstack-protector -L/usr/local/lib'
    libpth=/usr/lib /usr/local/lib
    libs=-lgdbm -lm -lcrypt -lutil
    perllibs=-lm -lcrypt -lutil
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='  -Wl,-R/usr/local/lib/perl5/5.12.3/mach/CORE'
    cccdlflags='-DPIC -fPIC', lddlflags='-shared  -L/usr/local/lib -fstack-protector'

Locally applied patches:
    


@INC for perl 5.12.3:
    /usr/local/lib/perl5/5.12.3/BSDPAN
    /usr/local/lib/perl5/site_perl/5.12.3/mach
    /usr/local/lib/perl5/site_perl/5.12.3
    /usr/local/lib/perl5/5.12.3/mach
    /usr/local/lib/perl5/5.12.3
    .


Environment for perl 5.12.3:
    HOME=/home/mark
    LANG (unset)
    LANGUAGE=
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/kde4/bin/:/usr/local/kde4/sbin:/usr/X11R6/bin
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Mar 22, 2011

From Mark.Martinec@ijs.si

By mistake I showed two different args in a call to x()​: as a constant,
or as first assigned to a variable. Either will do, the catch is not there.
My intention was to use $t = "atested test".$0; x($t) in both cases.

@p5pRT
Copy link
Author

p5pRT commented Mar 23, 2011

From p5p@perl.wizbit.be

-----------------------------------------------------------------
[Please describe your issue here]

The following test case loops forever
when given a tainted string to operate on​:

perl -Te 'sub x { while ($_[0] =~ /test/g) { printf("str=%s,
pos=%s\n", $_[0], pos $_[0]) } }; x("atested".substr($0,0,0))'

[...]

This is a duplicate of
#8262​: //g loops infinitely on tainted data

Which is linked to​:

* #27344​: pos() does not get updated when running in taint mode
* #5475​: Bug in taint+regex+hash/arrays

=> Marking as resolved.

Best regards,

Bram

@p5pRT
Copy link
Author

p5pRT commented Mar 23, 2011

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Mar 23, 2011

p5p@spam.wizbit.be - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed Mar 23, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-freebsd type-regex
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT