From @jquelin

Here's a strange behavior.
Could you tell me wether it's a feature or not - I think it should be a bug.

Under taint mode, using instruction modifiers does not get the same result as
regular flow control instructions​:

$ perl -Tle '$cmd="print q(foo)";$cmd.=".q(bar)" if pop; eval $cmd' foo
Insecure dependency in eval while running with -T switch at -e line 1.
$ perl -Tle '$cmd="print q(foo)";if(pop){$cmd.=".q(bar)"} eval $cmd' foo
foobar

This behavior seems rather strange to me.

This bug is present in​:
- perl 5.6.1 (linux),
- perl 5.8.0 RC2 (linux),
- perl 5.8.0 (linux),
- perl 5.8.0 (freebsd)

(see below)

$ perl -V
Summary of my perl5 (revision 5.0 version 6 subversion 1) configuration​:
  Platform​:
  osname=linux, osvers=2.4.8-11mdkenterprise, archname=i386-linux
  uname='linux no.mandrakesoft.com 2.4.8-11mdkenterprise #1 smp wed aug 22
16​:05​:18 cest 2001 i686 unknown ' config_args='-des -Darchname=i386-linux
-Dd_dosuid -Ud_csh -Duseshrplib -Doptimize=-O3 -fomit-frame-pointer -pipe
-mcpu=pentiumpro -march=i586 -ffast-math -fno-strength-reduce -Dprefix=/usr
-Di_ndbm -Di_gdbm -Di_shadow -Di_syslog -Uuselargefiles
-Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/lib/perl5/man/man3'
  hint=recommended, useposix=true, d_sigaction=define
  usethreads=undef use5005threads=undef useithreads=undef
usemultiplicity=undef
  useperlio=undef d_sfio=undef uselargefiles=undef usesocks=undef
  use64bitint=undef use64bitall=undef uselongdouble=undef
  Compiler​:
  cc='cc', ccflags ='-fno-strict-aliasing',
  optimize='-O3 -fomit-frame-pointer -pipe -mcpu=pentiumpro -march=i586
-ffast-math -fno-strength-reduce',
  cppflags='-fno-strict-aliasing'
  ccversion='', gccversion='2.96 20000731 (Mandrake Linux 8.1
2.96-0.62mdk)', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=4
  alignbytes=4, usemymalloc=n, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -L/usr/local/lib'
  libpth=/usr/local/lib /lib /usr/lib
  libs=-lnsl -ldl -lm -lc -lcrypt -lutil
  perllibs=-lnsl -ldl -lm -lc -lcrypt -lutil
  libc=/lib/libc-2.2.4.so, so=so, useshrplib=true, libperl=libperl.so
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic
-Wl,-rpath,/usr/lib/perl5/5.6.1/i386-linux/CORE'
  cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Characteristics of this binary (from libperl)​:
  Compile-time options​:
  Built under linux
  Compiled at Sep 9 2001 23​:58​:45
  @​INC​:
  /usr/lib/perl5/5.6.1/i386-linux
  /usr/lib/perl5/5.6.1
  /usr/lib/perl5/site_perl/5.6.1/i386-linux
  /usr/lib/perl5/site_perl/5.6.1
  /usr/lib/perl5/site_perl
  .

$ perl -V
Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration​:
  Platform​:
  osname=freebsd, osvers=4.4-release, archname=i386-freebsd
  uname='freebsd shambala.logilune.com 4.4-release freebsd 4.4-release #2​:
mon mar 18 21​:59​:17 cet 2002 eric@​sha
mbala.logilune.com​:usrsrcsyscompileshambala i386 '
  config_args='-des'
  hint=recommended, useposix=true, d_sigaction=define
  usethreads=undef use5005threads=undef useithreads=undef
usemultiplicity=undef
  useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
  use64bitint=undef use64bitall=undef uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H
-fno-strict-aliasing -I/usr/local/include',
  optimize='-O',
  cppflags='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing
-I/usr/local/include'
  ccversion='', gccversion='2.95.3 20010315 (release) [FreeBSD]',
gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags ='-Wl,-E -L/usr/local/lib'
  libpth=/usr/lib /usr/local/lib
  libs=-lgdbm -ldb -lm -lc -lcrypt -lutil
  perllibs=-lm -lc -lcrypt -lutil
  libc=, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version=''
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' '
  cccdlflags='-DPIC -fpic', lddlflags='-shared -L/usr/local/lib'

Characteristics of this binary (from libperl)​:
  Compile-time options​: USE_LARGE_FILES
  Built under freebsd
  Compiled at Jul 17 2002 19​:43​:02
  %ENV​:
  PERL5LIB="/home/eric/lib​:/usr/local/www/modules"
  @​INC​:
  /home/eric/lib
  /usr/local/www/modules
  /usr/local/lib/perl5/5.8.0/i386-freebsd
  /usr/local/lib/perl5/5.8.0
  /usr/local/lib/perl5/site_perl/5.8.0/i386-freebsd
  /usr/local/lib/perl5/site_perl/5.8.0
  /usr/local/lib/perl5/site_perl/5.6.1
  /usr/local/lib/perl5/site_perl/5.005
  /usr/local/lib/perl5/site_perl
  .

$ perl -V
Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration​:
  Platform​:
  osname=linux, osvers=2.4.19-2mdkenterprise,
archname=i386-linux-thread-multi
  uname='linux no.mandrakesoft.com 2.4.19-2mdkenterprise #1 smp tue aug 13
00​:17​:42 cest 2002 i686 unknown unknown gnulinux '
  config_args='-des -Darchname=i386-linux -Dcc=gcc -Doptimize=-O3
-fomit-frame-pointer -pipe -mcpu=pentiumpro -march=i586 -ffast-math
-fno-strength-reduce -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr
-Dman3ext=3pm -Dcf_by=MandrakeSoft -Dmyhostname=localhost
-Dperladmin=root@​localhost -Dd_dosuid -Ud_csh -Duseshrplib -Dusethreads'
  hint=recommended, useposix=true, d_sigaction=define
  usethreads=define use5005threads=undef useithreads=define
usemultiplicity=define
  useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
  use64bitint=undef use64bitall=undef uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
  optimize='-O3 -fomit-frame-pointer -pipe -mcpu=pentiumpro -march=i586
-ffast-math -fno-strength-reduce',
  cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing
-I/usr/include/gdbm'
  ccversion='', gccversion='3.2 (Mandrake Linux 9.0 3.2-1mdk)',
gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='gcc', ldflags =' -L/usr/local/lib'
  libpth=/usr/local/lib /lib /usr/lib
  libs=-lnsl -lndbm -lgdbm -ldl -lm -lpthread -lc -lcrypt -lutil
  perllibs=-lnsl -ldl -lm -lpthread -lc -lcrypt -lutil
  libc=/lib/libc-2.2.5.so, so=so, useshrplib=true, libperl=libperl.so
  gnulibc_version='2.2.5'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic
-Wl,-rpath,/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE'
  cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Characteristics of this binary (from libperl)​:
  Compile-time options​: MULTIPLICITY USE_ITHREADS USE_LARGE_FILES
PERL_IMPLICIT_CONTEXT
  Built under linux
  Compiled at Sep 6 2002 23​:24​:44
  @​INC​:
  /usr/lib/perl5/5.8.0/i386-linux-thread-multi
  /usr/lib/perl5/5.8.0
  /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
  /usr/lib/perl5/site_perl/5.8.0
  /usr/lib/perl5/site_perl/5.6.1
  /usr/lib/perl5/site_perl
  /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
  /usr/lib/perl5/vendor_perl/5.8.0
  /usr/lib/perl5/vendor_perl
  .

Cheers,
Jerome Quelin
--
jquelin@​mongueurs.net

From goldbb2@earthlink.net

Jerome Quelin (via RT) wrote​:

# New Ticket Created by Jerome Quelin
# Please include the string​: [perl #17867]
# in the subject line of all future correspondence about this issue.
# <URL​: http​://rt.perl.org/rt2/Ticket/Display.html?id=17867 >

Here's a strange behavior.
Could you tell me wether it's a feature or not - I think it should be
a bug.

Under taint mode, using instruction modifiers does not get the same
result as regular flow control instructions​:

$ perl -Tle '$cmd="print q(foo)";$cmd.=".q(bar)" if pop; eval $cmd' foo
Insecure dependency in eval while running with -T switch at -e line 1.
$ perl -Tle '$cmd="print q(foo)";if(pop){$cmd.=".q(bar)"} eval $cmd' foo
foobar

This behavior seems rather strange to me.

Any time that you say
  EXPR1 if EXPR2;
, it's just as if you had said
  (EXPR2) and (EXPR1);

If EXPR2 is tainted, the taint propogates into EXPR1.
What you've seen with the 'if' modifyer is merely an extention of
the behavior of 'and'.

On windows95, either of the following​:
  perl -Te "$c='print q[foo]';pop and $c.='.q[bar]'; eval $c" 1
  perl -Te "$c='print q[foo]';pop or $c.='.q[bar]'; eval $c" 0
will produce​:
  Unrecognized switch​: -te (-h will show valid options).
(The fact that it's win95 is only relevant towards quoting issues).

--
my $n = 2; print +(split //, 'e,4c3H r ktulrnsJ2tPaeh'
...."\n1oa! er")[map $n = ($n * 24 + 30) % 31, (42) x 26]

From @jquelin

On Samedi 12 Octobre 2002 09​:14, Benjamin Goldberg (via RT) wrote​:

Any time that you say
EXPR1 if EXPR2;
, it's just as if you had said
(EXPR2) and (EXPR1);
If EXPR2 is tainted, the taint propogates into EXPR1.
What you've seen with the 'if' modifyer is merely an extention of
the behavior of 'and'.

I agree that if you say​:
  EXPR3 = EXPR2 and EXPR1

that EXPR3 should be tainted if EXPR2 is tainted. But why does EXPR1 gets
tainted too?

I can also imagine that​:
  EXPR3 = EXPR1 if EXPR2

would taint EXPR3 if EXPR2 is tainted.
But I can't imagine why EXPR1 get tainted too. And even if I manage to
imagine why EXPR1 is tainted too, then I can't imagine why​:
  if (EXPR2) { EXPR1 }
does not taint EXPR1.

The two ifs are supposed to work the same way...

On windows95, either of the following​:
perl -Te "$c='print q[foo]';pop and $c.='.q[bar]'; eval $c" 1
perl -Te "$c='print q[foo]';pop or $c.='.q[bar]'; eval $c" 0
will produce​:
Unrecognized switch​: -te (-h will show valid options).
(The fact that it's win95 is only relevant towards quoting issues).

Can't understand this... What do you want to say? That I can't use the -T
switch in a oneliner? I think you pasted the wrong error message! :-)

See you,
Jerome
--
jquelin@​mongueurs.net

From @schwern

On Sat, Oct 12, 2002 at 03​:19​:42AM -0400, Benjamin Goldberg wrote​:

Here's a strange behavior.
Could you tell me wether it's a feature or not - I think it should be
a bug.

Under taint mode, using instruction modifiers does not get the same
result as regular flow control instructions​:

$ perl -Tle '$cmd="print q(foo)";$cmd.=".q(bar)" if pop; eval $cmd' foo
Insecure dependency in eval while running with -T switch at -e line 1.
$ perl -Tle '$cmd="print q(foo)";if(pop){$cmd.=".q(bar)"} eval $cmd' foo
foobar

This behavior seems rather strange to me.

Any time that you say
EXPR1 if EXPR2;
, it's just as if you had said
(EXPR2) and (EXPR1);

If EXPR2 is tainted, the taint propogates into EXPR1.

Why does it do that? EXPR1 isn't altered by EXPR2. The only effect EXPR2
can have on EXPR1 is whether or not its executed. And no other control
modifier propogates taintedness in that way.

--

Michael G. Schwern <schwern@​pobox.com> http​://www.pobox.com/~schwern/
Perl Quality Assurance <perl-qa@​perl.org> Kwalitee Is Job One
The desired effect is what you get when you improve your interplanetary
funksmanship.

From goldbb2@earthlink.net

Michael G Schwern wrote​:

On Sat, Oct 12, 2002 at 03​:19​:42AM -0400, Benjamin Goldberg wrote​:

Here's a strange behavior.
Could you tell me wether it's a feature or not - I think it should be
a bug.

Under taint mode, using instruction modifiers does not get the same
result as regular flow control instructions​:

$ perl -Tle '$cmd="print q(foo)";$cmd.=".q(bar)" if pop; eval $cmd' foo
Insecure dependency in eval while running with -T switch at -e line 1.
$ perl -Tle '$cmd="print q(foo)";if(pop){$cmd.=".q(bar)"} eval $cmd' foo
foobar

This behavior seems rather strange to me.

Any time that you say
EXPR1 if EXPR2;
, it's just as if you had said
(EXPR2) and (EXPR1);

If EXPR2 is tainted, the taint propogates into EXPR1.

Why does it do that? EXPR1 isn't altered by EXPR2. The only effect EXPR2
can have on EXPR1 is whether or not its executed. And no other control
modifier propogates taintedness in that way.

Umm, err, now *that*, I don't have an answer to. I'm just saying that
this behavior is merely an extension of previously known *and documented*
behavior. From perldoc perlsec​:

  Laundering and Detecting Tainted Data

  To test whether a variable contains tainted data, and whose use would
  thus trigger an "Insecure dependency" message, check your nearby CPAN
  mirror for the Taint.pm module, which should become available around
  November 1997. Or you may be able to use the following *is_tainted()*
  function.

  sub is_tainted {
  return ! eval {
  join('',@​_), kill 0;
  1;
  };
  }

  This function makes use of the fact that the presence of tainted data
  anywhere within an expression renders the entire expression tainted. It
  would be inefficient for every operator to test every argument for
  taintedness. Instead, the slightly more efficient and conservative
  approach is used that if any tainted value has been accessed within the
  same expression, the whole expression is considered tainted.

--
my $n = 2; print +(split //, 'e,4c3H r ktulrnsJ2tPaeh'
...."\n1oa! er")[map $n = ($n * 24 + 30) % 31, (42) x 26]

From @schwern

On Sun, Oct 13, 2002 at 03​:22​:02PM -0400, Benjamin Goldberg wrote​:

Why does it do that? EXPR1 isn't altered by EXPR2. The only effect EXPR2
can have on EXPR1 is whether or not its executed. And no other control
modifier propogates taintedness in that way.

Umm, err, now *that*, I don't have an answer to. I'm just saying that
this behavior is merely an extension of previously known *and documented*
behavior. From perldoc perlsec​:

<snip>

This function makes use of the fact that the presence of tainted data
anywhere within an expression renders the entire expression tainted\. It
would be inefficient for every operator to test every argument for
taintedness\. Instead\, the slightly more efficient and conservative
approach is used that if any tainted value has been accessed within the
same expression\, the whole expression is considered tainted\.

Ahh, ok. An optimization hack.

--

Michael G. Schwern <schwern@​pobox.com> http​://www.pobox.com/~schwern/
Perl Quality Assurance <perl-qa@​perl.org> Kwalitee Is Job One
I sit on the floor and pick my nose
  and think of dirty things
Of deviant dwarfs who suck their toes
  and elves who drub their dings.
  -- Frito Bugger, "Bored Of The Rings"

From @jquelin

On Monday 14 October 2002 23​:55, Michael G Schwern (via RT) wrote​:

Instead, the slightly more efficient and conservative
approach is used that if any tainted value has been accessed within the
same expression, the whole expression is considered tainted.
Ahh, ok. An optimization hack.

The whole expression is considered tainted, yes, but not every sub-expression
within the whole expression.
That is, if EXPR1 is tainted, then​:
  EXPR1 + EXPR2 + EXPR3
is tainted, but EXPR2 and EXPR3 remain non-tainted.

And that's what the docs say. At least, that's how I understand them. :-)

Jerome
--
jquelin@​mongueurs.net

From @iabyn

I'm marking it as not-a-bug, because it's documented behaviour.

The "bad" code can be reduced to

  $cmd.="a" if $^X; # $cmd is tainted

which is equivalent to

  $^X && ($cmd .= "a"); # $cmd is tainted

The expression becomes tainted by $^X, so the concatenation
taints its result.

@iabyn - Status changed from 'open' to 'rejected'