Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: variable I expect to be tainted isn't: possible explanations?

by derby (Abbot)
on May 21, 2002 at 12:31 UTC ( [id://168093]=note: print w/replies, xml ) Need Help??


in reply to variable I expect to be tainted isn't: possible explanations?

Your $two isn't tainted because it is not really user data or derived from user data (but it is set based upon the presence of the option). Try changing it to accept a string parameter to see what happens:

GetOptions('b=s' => \$two); ... ./script.pl -b foo

I'm not sure why your CGI param is not tainted, mine is (CGI.pm version 2.752).

-derby

update: As for the CGI param not being tainted, when you run under "offline mode", CGI reads from STDIN and passes the data to shellwords (shellwords.pl). shellwords parses the passed data via regex and builds the return value via regex matches - effectively untainting the param. As others have shown, by passing the param on the cmdline (instead of offline), shows the param as tainted.

Replies are listed 'Best First'.
(kudra: getopt correction) Re2: variable I expect to be tainted isn't: possible explanations?
by kudra (Vicar) on May 21, 2002 at 12:44 UTC
    You're right of course. I added the command-line check in quickly later.

    Making the change suggested by derby shows $two to be tainted (on one of the systems).

    I tested with Sifmole's syntax (previously I'd just used offline mode) and that shows the variable to be tainted.

    So this appears to be applicable to just CGI paramater gathering, and only in offline mode. And now derby's provided a nice logical explanation--thanks all!

    I'm still not convinced it should be leaving them untainted rather than explicitly retainting them, but at least now I know why this is happening.

    (CGI version is 2.56 with perl 5.6.0 and 2.80 with perl 5.7.3, which is the system I tested the second time.)

    Update too many updates to mention... this node was almost like the chatterbox.

      kudra wrote: I'm still not convinced it should be leaving them untainted rather than explicitly retainting them, but at least now I know why this is happening.

      I think you're right. These variables should be left tainted. The following hack will leave them tainted.

      sub shellwords { package shellwords; local($_) = join('', @_) if @_; my $tainted = substr $_,0,0 if defined; # give me an tainted empty + string local(@words,$snippet,$field); s/^\s+//; while ($_ ne '') { $field = ''; for (;;) { if (s/^"(([^"\\]|\\.)*)"//) { ($snippet = $1) =~ s#\\(.)#$1#g; } elsif (/^"/) { die "Unmatched double quote: $_\n"; } elsif (s/^'(([^'\\]|\\.)*)'//) { ($snippet = $1) =~ s#\\(.)#$1#g; } elsif (/^'/) { die "Unmatched single quote: $_\n"; } elsif (s/^\\(.)//) { $snippet = $1; } elsif (s/^([^\s\\'"]+)//) { $snippet = $1; } else { s/^\s+//; last; } $field .= $snippet; } push(@words, $field); } # this loop will retaint the variables foreach ( @words ) { $_ .= $tainted if defined; } @words; }

      The only problem with this is that if something calls shellwords.pl with several variables, but only one is tainted, then *all* returned variables will be tainted. Is this a problem? I shouldn't think so, but I'm not sure. Also, who the heck would I submit this to? There's no name in the script and it looks like it's part of the standard distribution.

      Update: chromatic suggested that it could be submitted to Perl 5 Porters. Will do.

      Update 2: Benjamin Goldberg replied that my goal was good, but suggested using the 're' pragma. I resubmitted the patch to p5p as follows:

      --- shellwords.pl.orig Tue May 21 10:04:07 2002 +++ shellwords.pl Tue May 21 11:12:45 2002 @@ -17,6 +17,7 @@ while ($_ ne '') { $field = ''; for (;;) { + use re 'taint'; # leave strings tainted if (s/^"(([^"\\]|\\.)*)"//) { ($snippet = $1) =~ s#\\(.)#$1#g; }

      Cheers,
      Ovid

      Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://168093]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (4)
As of 2024-03-29 01:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found