New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
%+ still untaints data when 'use re qw(taint)' is in scope #9398
Comments
From @pjfCreated by @pjfUnder Perl 5.10, the contents of %+ are always considered to be Below is an example program that demonstrates the issue. I also #!/usr/bin/perl -wT say '$ARGV[0] is tainted' if tainted($ARGV[0]); $ARGV[0] =~ /(?<word>\w+)/; say "Matched $+{word}/$1"; say '$+{word} is ', tainted($+{word}) ? 'tainted' : 'not tainted'; __END__ $ARGV[0] is tainted Perl Info
|
From @pjfI'd love to say here's a patch to t/op/taint.t that now has failing However the tests attached seem to pass just fine on the same Perl as my -- |
From @pjf0001-Added-tests-for-untainting-while-use-re-qw-taint.patchFrom ddcbe37cd9724af57671ba229fa6af53936f17cc Mon Sep 17 00:00:00 2001
From: Paul Fenwick <pjf@perltraining.com.au>
Date: Tue, 1 Jul 2008 16:37:29 +1000
Subject: [PATCH] Added tests for %+ untainting while use re qw(taint) in effect.
---
t/op/taint.t | 16 +++++++++++++++-
1 files changed, 15 insertions(+), 1 deletions(-)
diff --git a/t/op/taint.t b/t/op/taint.t
index b2688cf..5ddd3f2 100755
--- a/t/op/taint.t
+++ b/t/op/taint.t
@@ -17,7 +17,7 @@ use Config;
use File::Spec::Functions;
BEGIN { require './test.pl'; }
-plan tests => 267;
+plan tests => 269;
$| = 1;
@@ -259,6 +259,9 @@ my $TEST = catfile(curdir(), 'TEST');
test $foo eq 'bar';
{
+
+ # use re 'taint' should stop regexps from untainting data.
+
use re 'taint';
($foo) = ('bar' . $TAINT) =~ /(.+)/;
@@ -268,6 +271,17 @@ my $TEST = catfile(curdir(), 'TEST');
$foo = $1 if ('bar' . $TAINT) =~ /(.+)/;
test tainted $foo;
test $foo eq 'bar';
+
+ # Tests against Perl 5.10's new %+ variable.
+ # It should not untaint when "use re 'taint'" is in scope.
+
+ my $baz;
+
+ ('bar' . $TAINT) =~ /(?<baz>\w+)/;
+ $baz = $+{baz} ;
+ ok(tainted($+{baz}), q{%+ should not untaint with use re 'taint'});
+ is($baz,'bar', q{... but it should still be set correctly} );
+
}
$foo = $1 if 'bar' =~ /(.+)$TAINT/;
--
1.5.2.2
|
The RT System itself - Status changed from 'new' to 'open' |
From @avarNamed capture variables are never tainted but numbered ones are. This |
From @rgs2008/7/1 via RT Paul Fenwick <perlbug-followup@perl.org>:
I think that's accidental. That should be considered a bug (and fixed). |
From rick@bort.caOn Jun 30 2008, Paul Fenwick wrote:
I didn't see the attachment. The problem below is not with %+, but with Scalar::Util::tainted. It If you try this with `tainted("$+{word}")` it will show up "tainted". I'm pretty sure that all functions that require taint-protection This is enough to make it work for bleadperl but I don't know if more is Inline Patchdiff -pruN perl-current/ext/List/Util/Util.xs perl-current-dev/ext/List/Util/Util.xs
--- perl-current/ext/List/Util/Util.xs 2006-12-10 11:21:49.000000000 -0500
+++ perl-current-dev/ext/List/Util/Util.xs 2008-07-03 14:59:26.000000000 -0400
@@ -464,6 +464,7 @@ tainted(sv)
SV *sv
PROTOTYPE: $
CODE:
+ SvGETMAGIC(sv);
RETVAL = SvTAINTED(sv);
OUTPUT:
RETVAL
-- Rick Delaney |
From @AbigailOn Thu, Jul 03, 2008 at 03:16:46PM +0200, Rafael Garcia-Suarez wrote:
Yes, but only if 're "taint"' is in scope. IMO, the taintness of the Abigail |
From @iabynI'm rejecting this as its not a perl bug. Instead, I've created the ticket https://rt.cpan.org/Public/Bug/Display.html?id=55763 for Scalar::Utils as regards tainted() and get magic. |
@iabyn - Status changed from 'open' to 'rejected' |
Migrated from rt.perl.org#56490 (status was 'rejected')
Searchable as RT56490$
The text was updated successfully, but these errors were encountered: