This problem was originally in my user info, but I am confused enough now I will ask it correctly. Please believe me when I say I am certain I am correctly detainting all the data. I have read perlsec til my eyes bled. I can reproduce this on perl 5.5.3 running on both Solaris and FreeBSD as well as perl 5.6.0 running on Solaris.

I was working on some code that looked an awful lot like

my $file = $self->{Filename}; # This is detainted early on
my $new_ext = ".new";         # This cannot be tainted

my $new = $self->{Filename} . $new_ext;  # Not tainted
open NEW, "> $new" or die "Couldn't open $new : $!";
[download]

and the open line blew up with a taint violation.

I was unable to eyeball the situation and find my mistake so I added the is_tainted function from perlsec and rewrote the code to look like

my $file = $self->{Filename}; # This is detainted early on
my $new_ext = ".new";         # This cannot be tainted

my $new = $self->{Filename} . $new_ext;  # Not tainted
if ( is_tainted( $new ) ) {
    printf STDERR "%s is tainted by %s\n", $new,
    is_tainted( $file ) ? $file : $new_ext;
}
open NEW, "> $new" or die "Couldn't open $new : $!";
[download]

and this told me that $new_ext was tainted. My understanding of the taint rules says this is impossible - data hard coded in the program cannot be tainted.

Faced with nonsensical errors, I will quickly resort to nsensical solutions and reworked the code to look like

my $file = $self->{Filename}; # This is detainted early on
my $new_ext = ".new";         # This cannot be tainted

my $new = $file . $new_ext;  # Not tainted
if ( is_tainted( $new ) ) {
    printf STDERR "%s is tainted by %s\n", $new,
    is_tainted( $file ) ? $file : $new_ext;
}
open NEW, "> $new" or die "Couldn't open $new : $!";
[download]

and the taint violation went away. According to perlsec, the only way to detaint data is to send it through a regex and reference sub-expressions ( ie, $1, $2 ... ). I have not done that. I did a simple assignment, which is supposed to preserve the taint.

However, in studying the code I realized my original test was not quite correct - I was testing $file for taintedness when $new used $self->{Filename}. A quick examination of the source showed the $self->{Filename} is being detainted. Since being nonsensical had fixed the problem, I tried something equally nonsensical.

my $file = $self->{Filename}; # This is detainted early on
my $new_ext = ".new";         # This cannot be tainted

my $new = $file . $new_ext;  # Not tainted
if ( is_tainted( $self ) ) {
    printf STDERR "\$self ( %s )  is\n", ref( $self );
}
open NEW, "> $new" or die "Couldn't open $new : $!";
[download]

and it told me the object was tainted. How can an object be tainted and, having been tainted, how do I detaint it? If I try to send it through a regex, the reference will be stringified and it will never refernce again. I still am uncertain how it got tainted in the first place.

I have hacked into the wee hours of the morning and was able to generate more data, but I still am unable to make sense of it.

The object getting tainted is being embedded in another object something like this

    $self = { NAME    => $name,
          HEAD    => $TREE->HEAD,
          RCSDIR  => $TREE->RCSDIR,
          ETCDIR  => $TREE->ETCDIR,
          LOGOBJ  => $logfile,
          FILE    => $file,
          SEC     => $param{sec},
          LIB     => $param{lib},
          VFILE   => $TREE }; # This is the object of interest
[download]

A few more debug statements told me the $TREE is not tainted but $self->{VFILE} is. I am still confused - if the data is not tainted, how can an assignment taint it? Oh, further investigation shows everything stored in the hash ref is tainted, but none of the originating data is. This is, I intuit, the clue.

Any suggestions? Any pointers to documentation outside of perlsec to help me understand? Advanced debugging tricks to make perl confess its taint? A well-applied two-by-four to my head?

mikfire