Closed p5pRT closed 14 years ago
Perl 5.8.8 seems able to remove the taintedness of a variable by passing it through sprintf\, but only in some circumstances. Consider the following code:
#!/usr/bin/perl -wT use strict;
print "\$ENV{PATH} '%s' is " . tainted(sprintf "%s"\, $ENV{PATH}); print "\$ENV{PATH} ' %s' is " . tainted(sprintf " %s"\, $ENV{PATH}); my $v = $ENV{PATH}; print "\$v '%s' is " . tainted(sprintf "%s"\, $v); print "\$v ' %s' is " . tainted(sprintf " %s"\, $v);
sub tainted { (! eval { eval("#" . substr(join(""\, @_)\, 0\, 0)); 1 }) ? "tainted\n" : "clean\n"; }
This gives:
$ENV{PATH} '%s' is tainted $ENV{PATH} ' %s' is tainted $v '%s' is tainted $v ' %s' is clean
So the net effect is that the taint check on $ENV{PATH} works as expected\, but assigning it to a temporary variable and also using a space in the sprintf formatting will strip off the taint checking. This has been tested on perl5.004\, 5.6.0\, 5.6.1\, 5.8.0\, and 5.8.8 using a mixture of OSes (x86-64/linux and alpha/Digital Unix).
James
still present in blead
@iabyn - Status changed from 'new' to 'open'
fixed by commit 3e6bd4bfcd175c613d32ccb2eb2fde8ff580206a in branch davem/post-5.12\, which should be merged back into blead after 5.12 is released\, and thus make it into 5.14.
@iabyn - Status changed from 'open' to 'resolved'
Migrated from rt.perl.org#45167 (status was 'resolved')
Searchable as RT45167$