Re: Re: Re: Taint bug with backticks in variable assignments

perldoc perlsec

It would be inefficient for every operator to test every argument for taintedness. Instead, the slightly more efficient and conservative approach is used that if any tainted value has been accessed within the same expression, the whole expression is considered tainted.

#!/usr/bin/perl -T
$ENV{PATH} = '/usr/bin:/usr/local/bin:/bin';
$ENV{ENV} = '';
my $good = 'good';
my $bad = `echo bad`;
print($bad); print(`echo $good`); #separate expressions
print($bad), print(`echo $good`); #single list expression
[download]

Comment on Re: Re: Re: Taint bug with backticks in variable assignments Download Code

Replies are listed 'Best First'.
Re: Re: Re: Re: Taint bug with backticks in variable assignments by shotgunefx (Parson) on Nov 19, 2003 at 16:14 UTC
Maybe it's the way I'm reading that, but take the example below, I don't see how that applies. The second element isn't referencing anything that could be tainted. #!/usr/bin/perl -T $ENV{PATH} = '/usr/bin:/usr/local/bin:/bin'; $ENV{ENV} = ''; my $commands = [ `mktemp /tmp/temp.XXXXXX`, `mktemp /tmp/temp.XXXXXX`, ]; [download] -Lee "To be civilized is to deny one's nature."	[reply] [d/l]
Re: Re: Re: Re: Re: Taint bug with backticks in variable assignments by Anonymous Monk on Nov 19, 2003 at 16:26 UTC
Doesn't matter. "It would be inefficient for every operator to test every argument for taintedness." Once you use tainted data in an expression, any unsafe operator in the same expression is going to trigger a taint exception now matter what its arguments are.	[reply]
Re:(6b) Taint bug with backticks in variable assignments by shotgunefx (Parson) on Nov 19, 2003 at 16:47 UTC
One more thing, why is this ok then? #!/usr/bin/perl -T use strict; use warnings; $ENV{PATH} = '/usr/bin:/usr/local/bin:/bin'; $ENV{ENV} = ''; my $tainted = `echo "FOO"`; my $vars = [ $tainted, `echo "BAR"`, ]; [download] -Lee "To be civilized is to deny one's nature."	[reply] [d/l]
Re: Re:(6b) Taint bug with backticks in variable assignments by Anonymous Monk on Nov 19, 2003 at 17:56 UTC
Re: (2): Re:(6b) Taint bug with backticks in variable assignments by shotgunefx (Parson) on Nov 19, 2003 at 19:31 UTC
Some notes below your chosen depth have not been shown here
Re: (6): Taint bug with backticks in variable assignments by shotgunefx (Parson) on Nov 19, 2003 at 16:42 UTC
Thanks, I see what you're getting at. Though I wouldn't think a ref constructor would trigger it. I could see the whole assignment being tainted, but it seems in this example counterintuitive. -Lee "To be civilized is to deny one's nature."	[reply]