in reply to how to make lexical pragma global, hints ( pl_hints $^H %^H ), taint::all
Thanks tobyink, I did see that in my search but I found it unsatisfactory
Ok, this will add use re 'taint'; for all modules -- kinda like a source filter -- probably doesn't play well with PAR :)
also makes printing on STDOUT die if tainted
$ perl -I. -Tle "use retaint; retaint::foo(); print 123; print substr +$ENV{PATH}, 0, 1; " retaint.pm:20: tainted? 1 retaint.pm:21: tainted? 0 123 D $ perl -I. -Tle "use taintall; use retaint; retaint::foo(); print 123; + print substr $ENV{PATH}, 0, 1; " /loader/0xb61cbc/retaint.pm:21: tainted? 1 /loader/0xb61cbc/retaint.pm:22: tainted? 1 123 Insecure dependency in 'print' at -e line 1.
taintall.pm
package taintall; use strict; use re (); use Module::Util(); use File::Temp(); use Tie::STDOUT print => sub { use Carp; use Taint::Util(); croak( "Insecure dependency in 'print'" ) if grep { Taint::Util::tainted( $_ ) } @_; print @_; }, ;;;;; $Carp::Internal{ ( 'Tie::STDOUT' ) }++; unshift @INC, sub { my( $thiscoderef, $filename ) = @_; my $package = Module::Util::fs_path_to_module( $filename ); my $fullpath = Module::Util::find_installed( $package ); ## tempfile because of #~ https://rt.perl.org/rt3//Public/Bug/Display.html?id=96008# #96008: +use and require are affected by the open pragma #~ https://rt.perl.org/rt3//Public/Bug/Display.html?id=75722# #75722: +Recursive call to Perl_load_module in PerlIO_find_layer my( $tempFh, $tempFilename ) = File::Temp::tempfile(); return if not $fullpath or not $tempFilename; binmode $tempFh; print $tempFh "use re 'taint'; "; #line 0 { open my( $fh ), '<', $fullpath or die "Can't read ($fullpath): $!\n$^E\n "; binmode $fh; print $tempFh readline $fh; close $fh; } seek $tempFh, 0, 0; return $tempFh; };;;;; sub import { re->import( 'taint' ); } 1;
retaint.pm
|
|---|