New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Taint bug with multiple backticks in ref consturctors #6982
Comments
From lee@smb.worldwideedge.netCreated by lee@leeland.netIf you have multiple backticks in a reference constructor with taint enabled, perl will incorrectly The following code run with -T throws an exception on 5.6.1 and 5.8.0 This does not. Perl Info
|
From @ysthOn Fri, Dec 12, 2003 at 06:14:11PM -0000, "lee@smb.worldwideedge.net (via RT)" <perlbug-followup@perl.org> wrote:
I think the former is more equivalent to: my $vars = [ "$tainted", `echo "BAR"` ]; which does throw an exception. There's a distinction between having a variable to a list and having an I don't know if this is enough to make it not a bug, though. |
From mjtg@cam.ac.uklee@smb.worldwideedge.net wrote
Feature, not a bug. perlsec says The value of an expression containing tainted data will and later gives exactly your example: $arg, `true`; # Insecure (although it isn't really) Actually, the above quote isn't entirely complete: in addition, This happens because Perl, for efficiency, only has one 'tainted' flag Attached is a patch which tries to make the wording more accurate, Mike Guy Inline Patch--- ./pod/perlsec.pod.orig 2003-12-19 17:07:29.488625000 +0000
+++ ./pod/perlsec.pod 2003-12-19 17:10:21.451236000 +0000
@@ -65,12 +65,14 @@
=back
-The value of an expression containing tainted data will itself be
-tainted, even if it is logically impossible for the tainted data to
-affect the value.
+For efficiency reasons, Perl takes a conservative view of
+whether data is tainted. If an expression contains tainted data,
+any subexpression may be considered tainted, even if the value
+of the subexpression is not itself affected by the tainted data.
Because taintedness is associated with each scalar value, some
-elements of an array can be tainted and others not.
+elements of an array or hash can be tainted and others not.
+The keys of a hash are never tainted.
For example:
@@ -133,7 +135,7 @@
thus trigger an "Insecure dependency" message, you can use the
tainted() function of the Scalar::Util module, available in your
nearby CPAN mirror, and included in Perl starting from the release 5.8.0.
-Or you may be able to use the following I<is_tainted()> function.
+Or you may be able to use the following C<is_tainted()> function.
sub is_tainted {
return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
@@ -147,7 +149,8 @@
same expression, the whole expression is considered tainted.
But testing for taintedness gets you only so far. Sometimes you have just
-to clear your data's taintedness. The only way to bypass the tainting
+to clear your data's taintedness. Values may be untainted by using them
+as keys in a hash; otherwise the only way to bypass the tainting
mechanism is by referencing subpatterns from a regular expression match.
Perl presumes that if you reference a substring using $1, $2, etc., that
you knew what you were doing when you wrote the pattern. That means using
End of patch |
From @rgsMike Guy wrote:
Thanks, applied as 21942.
|
@rgs - Status changed from 'new' to 'resolved' |
Migrated from rt.perl.org#24651 (status was 'resolved')
Searchable as RT24651$
The text was updated successfully, but these errors were encountered: