Skip Menu |
Report information
Id: 122669
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: rcaputo2 <rcaputo [at] cpan.org>
Cc:
AdminCc:

Operating System: darwin
PatchStatus: (no value)
Severity: medium
Type: core
Perl Version: 5.16.2
Fixed In: 5.22.0



Date: Sun, 31 Aug 2014 14:34:39 -0400
To: perlbug [...] perl.org
From: Rocco Caputo <rcaputo [...] cpan.org>
Subject: mysterious place for an insecure dependency error
Download (untitled) / with headers
text/plain 7.7k
This is a bug report for perl from rcaputo@cpan.org, generated with the help of perlbug 1.39 running under perl 5.16.2. ----------------------------------------------------------------- [Please describe your issue here] I have a Perl one-liner that fails for "Insecure dependency in require" at an odd place. It mystified Matt Trout on freenode #perl, and everyone on rhizomatic/magnet #p5p was out when I asked. TUNING_KNOB=0 perl -T -wle 'use warnings; use strict; use constant KNOB => $ENV{TUNING_KNOB}; BEGIN { print 1 } use strict; BEGIN { print 2 } use strict; BEGIN { print 3 } 1 if KNOB; BEGIN { print 4 } use strict; print "OK"' The odd place is after "4" is printed and before "OK". It's as if invoking the constant taints @INC somehow. Setting TUNING_KNOB=1 also invokes the insecure dependency. Omitting TUNING_KNOB entirely, eliminates the error. It may be a case where taintedness is seeping in from %ENV to somewhere it oughtn't. Or that tainting runs deeper than my understanding. [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.16.2: Configured by _mdnsresponder at Sun Aug 25 01:10:27 PDT 2013. Summary of my perl5 (revision 5 version 16 subversion 2) configuration: Platform: osname=darwin, osvers=13.0, archname=darwin-thread-multi-2level uname='darwin jackson.apple.com 13.0 darwin kernel version 13.0.0: tue jul 30 20:52:22 pdt 2013; root:xnu-2422.1.53~3release_x86_64 x86_64 ' config_args='-ds -e -Dprefix=/usr -Dccflags=-g -pipe -Dldflags= -Dman3ext=3pm -Duseithreads -Duseshrplib -Dinc_version_list=none -Dcc=cc' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-arch x86_64 -arch i386 -g -pipe -fno-common -DPERL_DARWIN -fno-strict-aliasing -fstack-protector -I/usr/local/include', optimize='-Os', cppflags='-g -pipe -fno-common -DPERL_DARWIN -fno-strict-aliasing -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.2.1 Compatible Apple LLVM 5.0 (clang-500.0.68)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc -mmacosx-version-min=10.9', ldflags ='-arch x86_64 -arch i386 -fstack-protector -L/usr/local/lib' libpth=/usr/local/lib /usr/lib libs= perllibs= libc=, so=dylib, useshrplib=true, libperl=libperl.dylib gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=bundle, d_dlsymun=undef, ccdlflags=' ' cccdlflags=' ', lddlflags='-arch x86_64 -arch i386 -bundle -undefined dynamic_lookup -L/usr/local/lib -fstack-protector' Locally applied patches: /Library/Perl/Updates/<version> comes before system perl directories installprivlib and installarchlib points to the Updates directory CVE-2013-1667 hashtable DOS fix --- @INC for perl 5.16.2: /Users/troc/projects/poe/poe/lib /Users/troc/projects/poco-client-keepalive/lib /Users/troc/projects/poco-client-dns/lib /Users/troc/projects/poco-resolver/lib /Users/troc/projects/poco-client-ping/lib /Users/troc/projects/poco-client-http/lib /Users/troc/projects/repo-tools/lib /Users/troc/projects/lex-per/lib /Users/troc/projects/poe/poe-test-loops/lib /Users/troc/projects/poe/poe-loop-event/lib /Users/troc/projects/poe/poe-loop-gtk/lib /Users/troc/projects/poe/poe-loop-tk/lib /Users/troc/projects/dzp-changelogfromgit/lib /Users/troc/projects/dzp-creditsfromgit/lib /Users/troc/projects/git/SVN-Dump/lib /Users/troc/projects/reflex/lib /Users/troc/projects/pod-plexus/pod-plexus/lib /Users/troc/projects/pod-plexus/dist-zilla-plugin-podplexus/lib /Users/troc/projects/pod-plexus/pod-weaver-plugin-podplexus/lib /Users/troc/projects/app-pipefilter/lib /Users/troc/projects/io-pipely/lib /Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor-aggregator-byInterface_XS_Salvador/blib/lib /Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor-aggregator-byInterface_XS_Salvador/blib/arch /Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor/blib/lib /Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor/blib/arch /Users/troc/Work/plixer/scrutinizer/trunk/lib /Users/troc/Work/plixer/scrutinizer/trunk /Users/troc/Work/plixer/externals/trunk/XS/ExUnpack/blib/lib /Users/troc/Work/plixer/externals/trunk/XS/ExUnpack/blib/arch /Users/troc/Work/plixer/externals/trunk/FDI/lib /Users/troc/Work/plixer/keygen/trunk/lib /Users/troc/Work/plixer/personal/lib /usr/local/lib/perl5 /Library/Perl/5.16/darwin-thread-multi-2level /Library/Perl/5.16 /usr/local/Cellar/subversion/1.8.4/Library/Perl/5.16/darwin-thread-multi-2level /usr/local/Cellar/subversion/1.8.4/Library/Perl/5.16 /Library/Perl/5.16/darwin-thread-multi-2level /Library/Perl/5.16 /Network/Library/Perl/5.16/darwin-thread-multi-2level /Network/Library/Perl/5.16 /Library/Perl/Updates/5.16.2/darwin-thread-multi-2level /Library/Perl/Updates/5.16.2 /System/Library/Perl/5.16/darwin-thread-multi-2level /System/Library/Perl/5.16 /System/Library/Perl/Extras/5.16/darwin-thread-multi-2level /System/Library/Perl/Extras/5.16 . --- Environment for perl 5.16.2: DYLD_LIBRARY_PATH (unset) HOME=/Users/troc LANG=en_US.UTF-8 LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/troc/bin:/usr/local/bin:/usr/local/sbin:/home/troc/projects/poe/poe-test-loops/bin:/home/troc/projects/app-pipefilter/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin:/usr/texbin:/home/troc/Work/plixer/personal/bin PERL5LIB=/Users/troc/projects/poe/poe/lib:/Users/troc/projects/poco-client-keepalive/lib:/Users/troc/projects/poco-client-dns/lib:/Users/troc/projects/poco-resolver/lib:/Users/troc/projects/poco-client-ping/lib:/Users/troc/projects/poco-client-http/lib:/Users/troc/projects/repo-tools/lib:/Users/troc/projects/lex-per/lib:/Users/troc/projects/poe/poe-test-loops/lib:/Users/troc/projects/poe/poe-loop-event/lib:/Users/troc/projects/poe/poe-loop-gtk/lib:/Users/troc/projects/poe/poe-loop-tk/lib:/Users/troc/projects/dzp-changelogfromgit/lib:/Users/troc/projects/dzp-creditsfromgit/lib:/Users/troc/projects/git/SVN-Dump/lib:/Users/troc/projects/reflex/lib:/Users/troc/projects/pod-plexus/pod-plexus/lib:/Users/troc/projects/pod-plexus/dist-zilla-plugin-podplexus/lib:/Users/troc/projects/pod-plexus/pod-weaver-plugin-podplexus/lib:/Users/troc/projects/app-pipefilter/lib:/Users/troc/projects/io-pipely/lib:/Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor-aggregator-byInterface_XS_Salvador/blib/lib:/Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor-aggregator-byInterface_XS_Salvador/blib/arch:/Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor/blib/lib:/Users/troc/Work/plixer/externals/trunk/XS/collector-FlowProcessor/blib/arch:/Users/troc/Work/plixer/scrutinizer/trunk/lib:/Users/troc/Work/plixer/scrutinizer/trunk:/Users/troc/Work/plixer/externals/trunk/XS/ExUnpack/blib/lib:/Users/troc/Work/plixer/externals/trunk/XS/ExUnpack/blib/arch:/Users/troc/Work/plixer/externals/trunk/FDI/lib:/Users/troc/Work/plixer/keygen/trunk/lib:/Users/troc/Work/plixer/personal/lib:/usr/local/lib/perl5:/Library/Perl/5.16:/usr/local/Cellar/subversion/1.8.4/Library/Perl/5.16: PERL_BADLANG (unset) SHELL=/bin/zsh
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 982b
On Sun Aug 31 11:35:47 2014, rcaputo2 wrote: Show quoted text
> This is a bug report for perl from rcaputo@cpan.org, > generated with the help of perlbug 1.39 running under perl 5.16.2. > > > ----------------------------------------------------------------- > [Please describe your issue here] > > I have a Perl one-liner that fails for "Insecure dependency in > require" at an odd place. > > It mystified Matt Trout on freenode #perl, and everyone on > rhizomatic/magnet #p5p was out when I asked.
That’s not mystifying at all. :-) Taintedness is reset at the start of execution of each statement. So if we are not executing any statements, the taintedness that results when the compiler reads KNOB to fold the ‘if KNOB’ expression extends much further than it should, causing ‘use’ to fail. I don’t know why the BEGIN{ print 4 } doesn’t clean it, but I imagine it’s saving and restoring state, including taintedness. I might have it fixed today. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.1k
On Sun Aug 31 13:33:38 2014, sprout wrote: Show quoted text
> On Sun Aug 31 11:35:47 2014, rcaputo2 wrote:
> > This is a bug report for perl from rcaputo@cpan.org, > > generated with the help of perlbug 1.39 running under perl 5.16.2. > > > > > > ----------------------------------------------------------------- > > [Please describe your issue here] > > > > I have a Perl one-liner that fails for "Insecure dependency in > > require" at an odd place. > > > > It mystified Matt Trout on freenode #perl, and everyone on > > rhizomatic/magnet #p5p was out when I asked.
> > That’s not mystifying at all. :-) > > Taintedness is reset at the start of execution of each statement. So > if we are not executing any statements, the taintedness that results > when the compiler reads KNOB to fold the ‘if KNOB’ expression extends > much further than it should, causing ‘use’ to fail. > > I don’t know why the BEGIN{ print 4 } doesn’t clean it, but I imagine > it’s saving and restoring state, including taintedness.
No, actually ‘use’ *does* execute a nextstate op. It’s just that the scalar containing ‘strict.pm’ is *created* when taintedness is still in the air. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Fixed in 64ff300be0f. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 583b
On Sun Aug 31 14:46:14 2014, sprout wrote: Show quoted text
> Fixed in 64ff300be0f. >
I’ve just noticed that a fix for the test added by 64ff300be0f is listed in Porting/cherry-pick-votes-maint-5.20.xml on the maint-5.20-votes branch: <commit votes="steveh" id="eaff586aa6444fb20654ed863b7ff35e136737e8" ticket="" desc="Fix t/op/taint.t on Windows"/> But the commit that added the test is not. This is, however, a regression from an earlier version of perl (5.8.8), so 64ff300be0f could be a candidate for 5.20.2. And it’s a pretty annoying and baffling bug, too. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 696b
On Sat Dec 06 17:42:42 2014, sprout wrote: Show quoted text
> On Sun Aug 31 14:46:14 2014, sprout wrote:
> > Fixed in 64ff300be0f. > >
> > I’ve just noticed that a fix for the test added by 64ff300be0f is > listed in Porting/cherry-pick-votes-maint-5.20.xml on the maint-5.20- > votes branch: > > <commit votes="steveh" id="eaff586aa6444fb20654ed863b7ff35e136737e8" > ticket="" desc="Fix t/op/taint.t on Windows"/> > > But the commit that added the test is not. > > This is, however, a regression from an earlier version of perl > (5.8.8), so 64ff300be0f could be a candidate for 5.20.2. And it’s a > pretty annoying and baffling bug, too.
Thanks, I've added 64ff300be0f to the list of proposed commits.
Date: Wed, 18 Feb 2015 18:44:12 +0100 (CET)
From: Mark.Martinec [...] ijs.si
CC: Mark.Martinec [...] ijs.si
Subject: utf8::SWASHNEW messes taint state when $1,$2,$3 are tainted (dup of [perl #122669] ?)
To: perlbug [...] perl.org
This is a bug report for perl from Mark.Martinec@ijs.si, generated with the help of perlbug 1.40 running under perl 5.20.1. ----------------------------------------------------------------- [Please describe your issue here] The following program: use strict; use re 'taint'; $ENV{PATH} =~ /^(.)(.)(.)/; eval 'qr/\p{IsXDigit}/; printf("OK\n")' or die "Eval failed: $@\n"; yields: Eval failed: Insecure dependency in printf while running with -T switch at (eval 1) line 1. This is possibly related to [perl #122669], as it seems to be fixed with perl 5.20.2 (but fails on 5.20.1). Regardless, seems prudent to localize $1, $2 and $3 in utf8::SWASHNEW so that it does not depend on whether these global variables are tainted or not. [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.20.1: Configured by root at Wed Dec 17 20:24:38 UTC 2014. Summary of my perl5 (revision 5 version 20 subversion 1) configuration: Platform: osname=freebsd, osvers=10.0-release, archname=amd64-freebsd-thread-multi uname='freebsd 10amd64-ws-default-job-01 10.0-release freebsd 10.0-release amd64 ' config_args='-sde -Dprefix=/usr/local -Dlibperl=libperl.so.5.20.1 -Darchlib=/usr/local/lib/perl5/5.20/mach -Dprivlib=/usr/local/lib/perl5/5.20 -Dman3dir=/usr/local/lib/perl5/5.20/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/mach/5.20 -Dsitelib=/usr/local/lib/perl5/site_perl -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/site_perl/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none -Dotherlibdirs=/usr/local/lib/perl5/site_perl/5.20:/usr/local/lib/perl5/site_perl/5.20/mach -Doptimize=-g -DDEBUGGING -Ui_gdbm -Dusemultiplicity=n -Duse64bitint -Dusethreads=y -Dusemymalloc=n' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include', optimize='-g', cppflags='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.2.1 Compatible FreeBSD Clang 3.3 (tags/RELEASE_33/final 183502)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags ='-pthread -Wl,-E -fstack-protector -L/usr/local/lib' libpth=/usr/lib /usr/local/lib /usr/include/clang/3.3 /usr/lib libs=-lm -lcrypt -lutil perllibs=-lm -lcrypt -lutil libc=, so=so, useshrplib=true, libperl=libperl.so.5.20.1 gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' -Wl,-R/usr/local/lib/perl5/5.20/mach/CORE' cccdlflags='-DPIC -fPIC', lddlflags='-shared -L/wrkdirs/usr/ports/lang/perl5.20/work/perl-5.20.1 -L/usr/local/lib/perl5/5.20/mach/CORE -Wl,-rpath=/usr/local/lib/perl5/5.20/mach/CORE -lperl -L/usr/local/lib -fstack-protector' --- @INC for perl 5.20.1: /usr/local/lib/perl5/site_perl/mach/5.20 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.20/mach /usr/local/lib/perl5/5.20 /usr/local/lib/perl5/site_perl/5.20 /usr/local/lib/perl5/site_perl/5.20/mach . --- Environment for perl 5.20.1: HOME=/home/mark LANG (unset) LANGUAGE= LC_ALL=en_US.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/kde4/bin/:/usr/X11R6/bin PERL_BADLANG (unset) SHELL=/usr/local/bin/bash
Subject: Your ticket against Perl 5 has been resolved
Download (untitled) / with headers
text/plain 222b
Thanks for submitting this ticket The issue should be resolved with the release today of Perl v5.22. If you find that the problem persists, feel free to reopen this ticket -- Karl Williamson for the Perl 5 porters team


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org