From lee@smb.worldwideedge.net

Created by lee@leeland.net

If you have multiple backticks in a reference constructor with taint enabled, perl will incorrectly
throw a taint exception.

The following code run with -T throws an exception on 5.6.1 and 5.8.0
#!/usr/bin/perl -T
use strict;
use warnings;
$ENV{PATH} = '/usr/bin​:/usr/local/bin​:/bin';
$ENV{ENV} = '';
my $vars = [`echo "FOO"`,`echo "BAR"`];

This does not.
#!/usr/bin/perl -T
use strict;
use warnings;
$ENV{PATH} = '/usr/bin​:/usr/local/bin​:/bin';
$ENV{ENV} = '';
my $tainted = `echo "Tainted"`;
my $vars = [ $tainted, `echo "FOO"`];

Flags:
    category=core
    severity=low

Site configuration information for perl v5.6.1:

Configured by root at Tue Jul 10 00:51:54 EDT 2001.

Summary of my perl5 (revision 5.0 version 6 subversion 1) configuration:
  Platform:
    osname=linux, osvers=2.2.14-5.0, archname=sparc64-linux
    uname='linux smb.xxx.xxx 2.2.14-5.0 #1 tue mar 7 21:50:41 est 2000 sparc64 unknown '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=undef d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=define
  Compiler:
    cc='gcc', ccflags ='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=8
    ivtype='long', ivsize=4, nvtype='long double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, usemymalloc=n, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -lgdbm -ldb -ldl -lm -lc -lposix -lcrypt -lutil
    perllibs=-lnsl -ldl -lm -lc -lposix -lcrypt -lutil
    libc=/lib/libc-2.1.3.so, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.6.1:
    /usr/local/lib/perl5/5.6.1/sparc64-linux
    /usr/local/lib/perl5/5.6.1
    /usr/local/lib/perl5/site_perl/5.6.1/sparc64-linux
    /usr/local/lib/perl5/site_perl/5.6.1
    /usr/local/lib/perl5/site_perl/5.6.0/sparc64-linux
    /usr/local/lib/perl5/site_perl/5.6.0
    /usr/local/lib/perl5/site_perl
    .


Environment for perl v5.6.1:
    HOME=/home/lee
    LANG=en_US
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin:/home/utils/perl
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @ysth

On Fri, Dec 12, 2003 at 06​:14​:11PM -0000, "lee@​smb.worldwideedge.net (via RT)" <perlbug-followup@​perl.org> wrote​:

# New Ticket Created by lee@​smb.worldwideedge.net
# Please include the string​: [perl #24651]
# in the subject line of all future correspondence about this issue.
# <URL​: http​://rt.perl.org​:80/rt3/Ticket/Display.html?id=24651 >

This is a bug report for perl from lee@​leeland.net,
generated with the help of perlbug 1.33 running under perl v5.6.1.

-----------------------------------------------------------------
[Please enter your report here]
If you have multiple backticks in a reference constructor with taint enabled, perl will incorrectly
throw a taint exception.

The following code run with -T throws an exception on 5.6.1 and 5.8.0
#!/usr/bin/perl -T
use strict;
use warnings;
$ENV{PATH} = '/usr/bin​:/usr/local/bin​:/bin';
$ENV{ENV} = '';
my $vars = [`echo "FOO"`,`echo "BAR"`];

This does not.
#!/usr/bin/perl -T
use strict;
use warnings;
$ENV{PATH} = '/usr/bin​:/usr/local/bin​:/bin';
$ENV{ENV} = '';
my $tainted = `echo "Tainted"`;
my $vars = [ $tainted, `echo "FOO"`];

I think the former is more equivalent to​:

  my $vars = [ "$tainted", `echo "BAR"` ];

which does throw an exception.

There's a distinction between having a variable to a list and having an
expression.

I don't know if this is enough to make it not a bug, though.

From mjtg@cam.ac.uk

lee@​smb.worldwideedge.net wrote

If you have multiple backticks in a reference constructor with taint
enabled, perl will incorrectly throw a taint exception.

Feature, not a bug. perlsec says

  The value of an expression containing tainted data will
  itself be tainted, even if it is logically impossible for
  the tainted data to affect the value.

and later gives exactly your example​:

  $arg, `true`; # Insecure (although it isn't really)

Actually, the above quote isn't entirely complete​: in addition,
the value of any subexpression *may* be tainted even if it doesn't
contain any tainted data. This is what is happening in your case.
Whether or not tainting occurs in a particular case depends on
the order of evaluation of the expression, so is not in general defined.
Hence you may get anomalous behaviour such as Yitzchak has noted.

This happens because Perl, for efficiency, only has one 'tainted' flag
per expression rather than one per subexpression. So it has to
take a pessimistic view about what might be tainted.

Attached is a patch which tries to make the wording more accurate,
removes some duplication and picks up a couple of other nits.

Mike Guy

--- ./pod/perlsec.pod.orig	2003-12-19 17:07:29.488625000 +0000
+++ ./pod/perlsec.pod	2003-12-19 17:10:21.451236000 +0000
@@ -65,12 +65,14 @@
 
 =back
 
-The value of an expression containing tainted data will itself be
-tainted, even if it is logically impossible for the tainted data to
-affect the value.
+For efficiency reasons, Perl takes a conservative view of
+whether data is tainted.  If an expression contains tainted data,
+any subexpression may be considered tainted, even if the value
+of the subexpression is not itself affected by the tainted data.
 
 Because taintedness is associated with each scalar value, some
-elements of an array can be tainted and others not.
+elements of an array or hash can be tainted and others not.
+The keys of a hash are never tainted.
 
 For example:
 
@@ -133,7 +135,7 @@
 thus trigger an "Insecure dependency" message, you can use the
 tainted() function of the Scalar::Util module, available in your
 nearby CPAN mirror, and included in Perl starting from the release 5.8.0.
-Or you may be able to use the following I<is_tainted()> function.
+Or you may be able to use the following C<is_tainted()> function.
 
     sub is_tainted {
         return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
@@ -147,7 +149,8 @@
 same expression, the whole expression is considered tainted.
 
 But testing for taintedness gets you only so far.  Sometimes you have just
-to clear your data's taintedness.  The only way to bypass the tainting
+to clear your data's taintedness.  Values may be untainted by using them
+as keys in a hash; otherwise the only way to bypass the tainting
 mechanism is by referencing subpatterns from a regular expression match.
 Perl presumes that if you reference a substring using $1, $2, etc., that
 you knew what you were doing when you wrote the pattern.  That means using

End of patch

From @rgs

Mike Guy wrote​:

Attached is a patch which tries to make the wording more accurate,
removes some duplication and picks up a couple of other nits.

Thanks, applied as 21942.

--- ./pod/perlsec.pod.orig 2003-12-19 17​:07​:29.488625000 +0000
+++ ./pod/perlsec.pod 2003-12-19 17​:10​:21.451236000 +0000

@rgs - Status changed from 'new' to 'resolved'