(kudra: getopt correction) Re2: variable I expect to be tainted isn't: possible explanations?

You're right of course. I added the command-line check in quickly later.

Making the change suggested by derby shows $two to be tainted (on one of the systems).

I tested with Sifmole's syntax (previously I'd just used offline mode) and that shows the variable to be tainted.

So this appears to be applicable to just CGI paramater gathering, and only in offline mode. And now derby's provided a nice logical explanation--thanks all!

I'm still not convinced it should be leaving them untainted rather than explicitly retainting them, but at least now I know why this is happening.

(CGI version is 2.56 with perl 5.6.0 and 2.80 with perl 5.7.3, which is the system I tested the second time.)

Update too many updates to mention... this node was almost like the chatterbox.

Comment on (kudra: getopt correction) Re2: variable I expect to be tainted isn't: possible explanations?

Replies are listed 'Best First'.
A fix for shellwords.pl (leave tainted variables tainted) by Ovid (Cardinal) on May 21, 2002 at 16:27 UTC
kudra wrote: I'm still not convinced it should be leaving them untainted rather than explicitly retainting them, but at least now I know why this is happening. I think you're right. These variables should be left tainted. The following hack will leave them tainted. sub shellwords { package shellwords; local($_) = join('', @_) if @_; my $tainted = substr $_,0,0 if defined; # give me an tainted empty + string local(@words,$snippet,$field); s/^\s+//; while ($_ ne '') { $field = ''; for (;;) { if (s/^"(([^"\\]\|\\.))"//) { ($snippet = $1) =~ s#\\(.)#$1#g; } elsif (/^"/) { die "Unmatched double quote: $_\n"; } elsif (s/^'(([^'\\]\|\\.))'//) { ($snippet = $1) =~ s#\\(.)#$1#g; } elsif (/^'/) { die "Unmatched single quote: $_\n"; } elsif (s/^\\(.)//) { $snippet = $1; } elsif (s/^([^\s\\'"]+)//) { $snippet = $1; } else { s/^\s+//; last; } $field .= $snippet; } push(@words, $field); } # this loop will retaint the variables foreach ( @words ) { $_ .= $tainted if defined; } @words; } [download] The only problem with this is that if something calls shellwords.pl with several variables, but only one is tainted, then all returned variables will be tainted. Is this a problem? I shouldn't think so, but I'm not sure. Also, who the heck would I submit this to? There's no name in the script and it looks like it's part of the standard distribution. Update: chromatic suggested that it could be submitted to Perl 5 Porters. Will do. Update 2: Benjamin Goldberg replied that my goal was good, but suggested using the 're' pragma. I resubmitted the patch to p5p as follows: `--- shellwords.pl.orig Tue May 21 10:04:07 2002 +++ shellwords.pl Tue May 21 11:12:45 2002 @@ -17,6 +17,7 @@ while ($_ ne '') { $field = ''; for (;;) { + use re 'taint'; # leave strings tainted if (s/^"(([^"\\]\|\\.)*)"//) { ($snippet = $1) =~ s#\\(.)#$1#g; }` [download] Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply] [d/l] [select]

Replies are listed 'Best First'.

A fix for shellwords.pl (leave tainted variables tainted)
by Ovid (Cardinal) on May 21, 2002 at 16:27 UTC

kudra wrote: I'm still not convinced it should be leaving them untainted rather than explicitly retainting them, but at least now I know why this is happening.

I think you're right. These variables should be left tainted. The following hack will leave them tainted.

sub shellwords {
    package shellwords;
    local($_) = join('', @_) if @_;
    my $tainted = substr $_,0,0 if defined; # give me an tainted empty
+ string
    local(@words,$snippet,$field);

    s/^\s+//;
    while ($_ ne '') {
    $field = '';
    for (;;) {
        if (s/^"(([^"\\]|\\.)*)"//) {
        ($snippet = $1) =~ s#\\(.)#$1#g;
        }
        elsif (/^"/) {
        die "Unmatched double quote: $_\n";
        }
        elsif (s/^'(([^'\\]|\\.)*)'//) {
        ($snippet = $1) =~ s#\\(.)#$1#g;
        }
        elsif (/^'/) {
        die "Unmatched single quote: $_\n";
        }
        elsif (s/^\\(.)//) {
        $snippet = $1;
        }
        elsif (s/^([^\s\\'"]+)//) {
        $snippet = $1;
        }
        else {
        s/^\s+//;
        last;
        }
        $field .= $snippet;
    }
    push(@words, $field);
    }

    # this loop will retaint the variables
    foreach ( @words ) {
        $_ .= $tainted if defined;
    }
    @words;
}
[download]

The only problem with this is that if something calls shellwords.pl with several variables, but only one is tainted, then *all* returned variables will be tainted. Is this a problem? I shouldn't think so, but I'm not sure. Also, who the heck would I submit this to? There's no name in the script and it looks like it's part of the standard distribution.

Update: chromatic suggested that it could be submitted to Perl 5 Porters. Will do.

Update 2: Benjamin Goldberg replied that my goal was good, but suggested using the 're' pragma. I resubmitted the patch to p5p as follows:

--- shellwords.pl.orig  Tue May 21 10:04:07 2002
+++ shellwords.pl       Tue May 21 11:12:45 2002
@@ -17,6 +17,7 @@
     while ($_ ne '') {
        $field = '';
        for (;;) {
+        use re 'taint'; # leave strings tainted
            if (s/^"(([^"\\]|\\.)*)"//) {
                ($snippet = $1) =~ s#\\(.)#$1#g;
            }
[download]

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
[d/l]
[select]