From @ntyni

This is a bug report for perl from Niko Tyni <ntyni@​debian.org>,
generated with the help of perlbug 1.40 running under perl 5.19.12.

Found this while trying to get mod_perl2 to work with 5.19.11​:

% perl -T -Mre=taint -le 'print $^V; sub f { $_[0] =~ /(.*)/ and return $1; }; f($^X); eval f(q{print "ok"})'
v5.18.2
ok

% ./perl -I$(pwd)/lib -T -Mre=taint -le 'print $^V; sub f { $_[0] =~ /(.*)/ and return $1; }; f($^X); eval f(q{print "ok"})'
v5.19.12
Insecure dependency in eval while running with -T switch at -e line 1.

It looks like once the regexp has output tainted data once, it remembers
that and outputs tainted data on subsequent calls even where the input
is not tainted.

I reduced the above from File​::Basename​::dirname() seemingly randomly
tainting its output​:

./perl -I$(pwd)/lib -T -MScalar​::Util=tainted -MFile​::Basename=dirname -e 'dirname($ENV{HOME}); die if tainted dirname("/tmp")'
Died at -e line 1.

which broke the mod_perl2 test suite.

Bisecting gives v5.19.8-533-g63baef5​:

63baef5 is the first bad commit
commit 63baef5
Author​: Karl Williamson <public@​khwilliamson.com>
Date​: Tue Feb 18 12​:59​:26 2014 -0700

  Make taint checking regex compile time instead of runtime

Flags​:
  category=library
  severity=high
  module=re

Site configuration information for perl 5.19.12​:

Configured by niko at Tue May 13 00​:20​:10 EEST 2014.

Summary of my perl5 (revision 5 version 19 subversion 12) configuration​:
  Commit id​: cb07e2f
  Platform​:
  osname=linux, osvers=3.14-1-amd64, archname=x86_64-linux
  uname='linux estella 3.14-1-amd64 #1 smp debian 3.14.2-1 (2014-04-28) x86_64 gnulinux '
  config_args='-des -Dusedevel'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.8.2', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.8/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.18.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.18'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector'

@​INC for perl 5.19.12​:
  lib
  /usr/local/lib/perl5/site_perl/5.19.12/x86_64-linux
  /usr/local/lib/perl5/site_perl/5.19.12
  /usr/local/lib/perl5/5.19.12/x86_64-linux
  /usr/local/lib/perl5/5.19.12
  .

Environment for perl 5.19.12​:
  HOME=/home/niko
  LANG=
  LANGUAGE=en_US​:en
  LC_CTYPE=fi_FI.UTF-8
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/home/niko/bin​:/home/niko/bin​:/home/niko/bin​:/usr/local/bin​:/usr/bin​:/bin​:/usr/local/games​:/usr/games​:/sbin​:/usr/sbin​:/sbin​:/usr/sbin
  PERL_BADLANG (unset)
  SHELL=/bin/zsh

From @iabyn

On Mon, May 12, 2014 at 03​:05​:37PM -0700, Niko Tyni wrote​:

Found this while trying to get mod_perl2 to work with 5.19.11​:

% perl -T -Mre=taint -le 'print $^V; sub f { $_[0] =~ /(.*)/ and return $1; }; f($^X); eval f(q{print "ok"})'
v5.18.2
ok

% ./perl -I$(pwd)/lib -T -Mre=taint -le 'print $^V; sub f { $_[0] =~ /(.*)/ and return $1; }; f($^X); eval f(q{print "ok"})'
v5.19.12
Insecure dependency in eval while running with -T switch at -e line 1.

It looks like once the regexp has output tainted data once, it remembers
that and outputs tainted data on subsequent calls even where the input
is not tainted.

I reduced the above from File​::Basename​::dirname() seemingly randomly
tainting its output​:

./perl -I$(pwd)/lib -T -MScalar​::Util=tainted -MFile​::Basename=dirname -e 'dirname($ENV{HOME}); die if tainted dirname("/tmp")'
Died at -e line 1.

which broke the mod_perl2 test suite.

Bisecting gives v5.19.8-533-g63baef5​:

63baef5 is the first bad commit
commit 63baef5
Author​: Karl Williamson <public@​khwilliamson.com>
Date​: Tue Feb 18 12​:59​:26 2014 -0700

Make taint checking regex compile time instead of runtime

Now fixed with this​:

commit 1738e04
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Tue May 13 14​:18​:06 2014 +0100
Commit​: David Mitchell <davem@​iabyn.com>
CommitDate​: Tue May 13 15​:20​:54 2014 +0100

  [perl #121854] use re 'taint' regression
 
  Commit v5.19.8-533-g63baef5 changed the handling of locale-dependent
  regexes so that the pattern was considered tainted at compile-time, rather
  than determining it each time at run-time whenever it executed a
  locale-dependent node. Unfortunately due to the conflating of two flags,
  RXf_TAINTED and RXf_TAINTED_SEEN, it had the side effect of permanently
  marking a pattern as tainted once it had had a single tainted result.
 
  E.g.
 
  use re qw(taint);
  use Scalar​::Util qw(tainted);
  for ($^X, "abc") {
  /(.*)/ or die;
  print "not " unless tainted("$1"); print "tainted\n";
  };
 
  which from 5.19.9 onwards output​:
 
  tainted
  tainted
 
  but with this commit (and with 5.19.8 and earlier), it now outputs​:
 
  tainted
  not tainted
 
  The RXf_TAINTED flag indicates that the pattern itself is tainted, e.g.
 
  $r = qr/$tainted_value/
 
  while the RXf_TAINTED_SEEN flag means that the results of the last match
  are tainted, e.g.
 
  use re 'tainted';
  $tainted =~ /(.*)/;
  # $1 is tainted
 
  Pre 63baef5, the code used to look like​:
 
  at run-time​:
 
  turn off RXf_TAINTED_SEEN;
  while (nodes to execute) {
  switch(node) {
  case
  BOUNDL​: /* and other locale-specific ops */
  turn on RXf_TAINTED_SEEN;
  ...;
  }
  }
  if (tainted || RXf_TAINTED)
  turn on RXf_TAINTED_SEEN;
 
  63baef5 changed it to​:
 
  at compile-time​:
 
  if (pattern has locale ops)
  turn on RXf_TAINTED_SEEN;
 
  at run-time​:
 
  while (nodes to execute) {
  ...
  }
  if (tainted || RXf_TAINTED)
  turn on RXf_TAINTED_SEEN;
 
  This commit changes it to​:
 
  at compile-time;
 
  if (pattern has locale ops)
  turn on RXf_TAINTED;
 
  at run-time​:
 
  turn off RXf_TAINTED_SEEN;
  while (nodes to execute) {
  ...
  }
  if (tainted || RXf_TAINTED)
  turn on RXf_TAINTED_SEEN;

--
I don't want to achieve immortality through my work...
I want to achieve it through not dying.
  -- Woody Allen

The RT System itself - Status changed from 'new' to 'open'

From @rjbs

Bug fixed, so resolved unless Niko Tyni (or someone else) shows otherwise!

--
rjbs

@rjbs - Status changed from 'open' to 'resolved'