search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.9k stars 540 forks source link

Taint removal by sprintf #9018

Closed p5pRT closed 14 years ago

p5pRT commented 17 years ago

Migrated from rt.perl.org#45167 (status was 'resolved')

Searchable as RT45167$

p5pRT commented 17 years ago

From jkb@sanger.ac.uk

Created by jkb@sanger.ac.uk

Perl 5.8.8 seems able to remove the taintedness of a variable by passing it through sprintf\, but only in some circumstances. Consider the following code​:

#!/usr/bin/perl -wT use strict;

print "\$ENV{PATH} '%s' is " . tainted(sprintf "%s"\, $ENV{PATH}); print "\$ENV{PATH} ' %s' is " . tainted(sprintf " %s"\, $ENV{PATH}); my $v = $ENV{PATH}; print "\$v '%s' is " . tainted(sprintf "%s"\, $v); print "\$v ' %s' is " . tainted(sprintf " %s"\, $v);

sub tainted {   (! eval { eval("#" . substr(join(""\, @​_)\, 0\, 0)); 1 })   ? "tainted\n" : "clean\n"; }

This gives​:

$ENV{PATH} '%s' is tainted $ENV{PATH} ' %s' is tainted $v '%s' is tainted $v ' %s' is clean

So the net effect is that the taint check on $ENV{PATH} works as expected\, but assigning it to a temporary variable and also using a space in the sprintf formatting will strip off the taint checking. This has been tested on perl5.004\, 5.6.0\, 5.6.1\, 5.8.0\, and 5.8.8 using a mixture of OSes (x86-64/linux and alpha/Digital Unix).

James

Perl Info ``` Flags: category=core severity=medium Site configuration information for perl v5.8.4: Configured by Debian Project at Mon Aug 14 10:44:25 UTC 2006. Summary of my perl5 (revision 5 version 8 subversion 4) configuration: Platform: osname=linux, osvers=2.6.12.6, archname=x86_64-linux-thread-multi uname='linux intrepid 2.6.12.6 #3 mon oct 31 12:47:37 cet 2005 x86_64 gnulinux ' config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux -Dprefix=/usr -Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.8.4 -Dsitearch=/usr/local/lib/perl/5.8.4 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib -Dlibperl=libperl.so.5.8.4 -Dd_dosuid -des' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2', cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -I/usr/local/include' ccversion='', gccversion='3.3.5 (Debian 1:3.3.5-13)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt perllibs=-ldl -lm -lpthread -lc -lcrypt libc=/lib/libc-2.3.2.so, so=so, useshrplib=true, libperl=libperl.so.5.8.4 gnulibc_version='2.3.2' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib' Locally applied patches: @INC for perl v5.8.4: /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl . Environment for perl v5.8.4: HOME=(withheld) LANG (unset) LANGUAGE (unset) LD_LIBRARY_PATH=(withheld) LOGDIR (unset) PATH=(withheld) PERL5LIB=(withheld) PERL_BADLANG (unset) SHELL=/usr/local/bin/bash -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. ```
p5pRT commented 14 years ago

From @iabyn

still present in blead

p5pRT commented 14 years ago

@iabyn - Status changed from 'new' to 'open'

p5pRT commented 14 years ago

From @iabyn

fixed by commit 3e6bd4bfcd175c613d32ccb2eb2fde8ff580206a in branch davem/post-5.12\, which should be merged back into blead after 5.12 is released\, and thus make it into 5.14.

p5pRT commented 14 years ago

@iabyn - Status changed from 'open' to 'resolved'