New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
taint propagation regression, tests fail to spot this #6852
Comments
From @nwc10Created by @nwc10Tony Finch brought this problem to my attention I consider this to be critical because we have 1: A regression from 5.8.0 to 5.8.1 Consider these 4 variations of the same script untainting @ARGV: 0,2 match on $ARGV[0] directly, 1,3 match on a copy #!perl -T my $r = "foo"; $ARGV[0] =~ /($r)/; my $c = "echo $1"; my $r = "foo"; my $argv = $ARGV[0]; my $c = "echo $1"; my $r = "foo"; $ARGV[0] =~ /($r)/; my $l = $1; my $r = "foo"; my $argv = $ARGV[0]; my $l = $1; All 4 are semantically equivalent, yet: $ perl5.8.0 -T t/taint0 foo $ perl5.8.1 -T t/taint0 foo Hence there is a regression from 5.8.0 to 5.8.1 for taint2 It seems that 1: taint is not being picked up by the regexp engine when matching on a copy The interpolation into the regexp seems to be crucial here. Tony's original (5.8.1 I tested with is release 5.8.1 - bug still present in today's maint) Nicholas Clark Perl Info
|
From rick@bort.caOn Sun, Oct 19, 2003 at 02:44:20PM -0000, Nicholas Clark wrote:
Yes, indeed.
More variations (5.8.0, assuming script named "foo"): #!perl -T my $c = "echo $1";
#!perl -T my $c = "echo $1"; #!perl -T my $c = "echo $1"; It appears that any expression more complicated than a simple scalar -- |
From rick@bort.caOn Wed, Oct 22, 2003 at 12:49:07AM -0400, Rick Delaney wrote:
[snip]
I've poked through the source a bit with a ten-foot pole and started sub is_tainted { This function makes use of the fact that the presence of tainted data What that really means is that if PL_tainted is set by some operation in $0, kill 0; # kill succeeds (PL_tainted never set) My question is, "Is this behaviour acceptable?" Should operators reset -- |
From rick@bort.caWhile waiting for opinions on my questions I've formed my own opinions. On Sun, Oct 19, 2003 at 02:44:20PM -0000, Nicholas Clark wrote:
PL_tainted is being set to true in an expression more complicated than a
I don't see this in the examples. 5.8.0 appears to be losing the taint http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2002-08/msg00204.html
Rectified in below patch which also makes all of the above examples Note 1: pp_regcmaybe possibly needs the same change but since I don't Note 2: If we were to add these tests: test 221, !eval { "x".$TAINT, $notaint =~ /(1)/, kill 0; 1 }; they would all fail after my patch while only 221 and 223 fail before my -- Inline Patch--- t/op/taint.t.orig Wed Nov 5 14:53:48 2003
+++ t/op/taint.t Wed Nov 5 16:55:43 2003
@@ -124,7 +124,7 @@
my $TEST = catfile(curdir(), 'TEST');
-print "1..208\n";
+print "1..220\n";
# First, let's make sure that Perl is checking the dangerous
# environment variables. Maybe they aren't set yet, so we'll
@@ -993,3 +993,35 @@
eval { system("lskdfj"); };
test 208, $@ =~ /^%ENV is aliased to %nonmagicalenv while running with -T switch/;
}
+{
+ # [perl #24248]
+ $TAINT =~ /(.*)/;
+ test 209, !tainted($1);
+ my $notaint = $1;
+ test 210, !tainted($notaint);
+
+ my $l;
+ $notaint =~ /($notaint)/;
+ $l = $1;
+ test 211, !tainted($1);
+ test 212, !tainted($l);
+ $notaint =~ /($TAINT)/;
+ $l = $1;
+ test 213, tainted($1);
+ test 214, tainted($l);
+
+ $TAINT =~ /($notaint)/;
+ $l = $1;
+ test 215, !tainted($1);
+ test 216, !tainted($l);
+ $TAINT =~ /($TAINT)/;
+ $l = $1;
+ test 217, tainted($1);
+ test 218, tainted($l);
+
+ my $r;
+ ($r = $TAINT) =~ /($notaint)/;
+ test 219, !tainted($1);
+ ($r = $TAINT) =~ /($TAINT)/;
+ test 220, tainted($1);
+}
--- pp_ctl.c.orig Wed Nov 5 14:46:59 2003
+++ pp_ctl.c Wed Nov 5 16:49:23 2003
@@ -59,6 +59,7 @@
/* XXXX Should store the old value to allow for tie/overload - and
restore in regcomp, where marked with XXXX. */
PL_reginterp_cnt = 0;
+ TAINT_NOT;
return NORMAL;
}
|
From ams@wiw.orgAt 2003-11-05 23:02:41 -0500, rick@bort.ca wrote:
That's a nice kind of opinion. -- ams |
From @hvdsRick Delaney <rick@bort.ca> wrote: I didn't fully understand that, and it made me worry that something Are we talking only about whether complexity of expressions _preceding_ Hugo |
From rick@bort.caOn Fri, Nov 07, 2003 at 04:30:33PM +0000, hv@crypt.org wrote:
Yes.
That was the conclusion I came to as well. I brought it up in case -- |
From @smpetersOn Sun Oct 19 07:44:18 2003, nicholas wrote:
We did have a nice patch (change #21674) that seemed to resolve this problem. Or didn't it. Steve |
@smpeters - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#24248 (status was 'resolved')
Searchable as RT24248$
The text was updated successfully, but these errors were encountered: