search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.93k stars 552 forks source link

no re 'taint' -- does not work #892

Closed p5pRT closed 21 years ago

p5pRT commented 24 years ago

Migrated from rt.perl.org#1824 (status was 'resolved')

Searchable as RT1824$

p5pRT commented 24 years ago

From @muir

---------------- cut here ----------------------- #!/bin/sh exec env PT=zz/yy perl -Tx $0 #!/usr/local/bin/perl -T

no re 'taint'; my $pcold = "/yy"; my $tainted; if ($ENV{'PT'} =~ m\,^(.*)\Q$pcold\E$\,) {   $tainted = "$1/pp"; }

print (STDERR is_tainted($tainted) ? "TAINTED\n" : "NOT TAINTED\n");

sub is_tainted {   return ! eval {   join(''\,@​_)\, kill 0;   1;   }; } ---------------- cut here -----------------------

The above prints "TAINTED" on 5.005_02 and 5.005_03.

It shouldn't.

Interestingly enough\, substituting "/yy" for "\Q$pcold\E" fixes the problem. Why?

Thanks\, -Dave

Perl Info ``` Site configuration information for perl 5.00502: Configured by markm at $Date: 1999/01/17 09:53:34 $. Summary of my perl5 (5.0 patchlevel 5 subversion 2) configuration: Platform: osname=freebsd, osvers=3.0-current, archname=i386-freebsd uname='freebsd 3.0-current #0: ' hint=recommended, useposix=true, d_sigaction=define usethreads=undef useperlio=undef d_sfio=undef Compiler: cc='cc', optimize='undef', gccversion=2.7.2.1 cppflags='' ccflags ='' stdchar='char', d_stdstdio=undef, usevfork=true intsize=4, longsize=4, ptrsize=4, doublesize=8 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 alignbytes=4, usemymalloc=n, prototype=define Linker and Libraries: ld='ld', ldflags ='-Wl,-E ' libpth=/usr/lib libs=-lm -lc -lcrypt libc=undef, so=so, useshrplib=true, libperl=libperl.so.3 Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' ' cccdlflags='-DPIC -fpic', lddlflags='-shared ' Locally applied patches: @INC for perl 5.00502: /usr/libdata/perl/5.00502/mach /usr/libdata/perl/5.00502 /usr/local/lib/perl5/site_perl/5.005/i386-freebsd /usr/local/lib/perl5/site_perl/5.005 . Environment for perl 5.00502: HOME=/home/muir LANG (unset) LD_LIBRARY_PATH=.:/usr/lib:/usr/local/lib LOGDIR (unset) PATH=.:/home/muir/bin/idiom:/home/muir/bin:/home/muir/bin/share:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/shbin:/usr/local/sbin:/usr/local/bin:/usr/local/ptybin:/usr/X11R6/bin:/usr/bin/X11:/usr/local/tex/bin:/usr/ucb:/usr/bin:/bin:/etc:/usr/etc:/usr/games:/lib:/usr/lib:/usr/local/java/bin:/usr/lib/uucp:/usr/openwin/bin:/usr/openwin/bin/xview:/usr/openwin/demo:/usr/adm:/home/muir/tmp PERL_BADLANG (unset) SHELL=/bin/tcsh ```
p5pRT commented 23 years ago

From [Unknown Contact. See original ticket]

This appears to still be true in bleadperl.

#!/bin/sh exec env PT=zz/yy perl -Tx $0 #!/usr/local/bin/perl -T

no re 'taint'; my $pcold = "/yy"; my $tainted; if ($ENV{'PT'} =~ m\,^(.*)\Q$pcold\E$\,) {   $tainted = "$1/pp"; }

print (STDERR is_tainted($tainted) ? "TAINTED\n" : "NOT TAINTED\n");

sub is_tainted {   return ! eval {   join(''\,@​_)\, kill 0;   1;   }; } ---------------- cut here -----------------------

The above prints "TAINTED" on 5.005_02 and 5.005_03.

It shouldn't.

Interestingly enough\, substituting "/yy" for "\Q$pcold\E" fixes the problem. Why?

Thanks\, -Dave

p5pRT commented 21 years ago

From @rspier

chromatic says​: #1824 does the right thing on 5.6.0 and 5.8.0.

p5pRT commented 21 years ago

@rspier - Status changed from 'open' to 'resolved'