kudra wrote: I'm still not convinced it should be leaving them untainted rather than explicitly retainting them, but at least now I know why this is happening.

I think you're right. These variables should be left tainted. The following hack will leave them tainted.

sub shellwords {
    package shellwords;
    local($_) = join('', @_) if @_;
    my $tainted = substr $_,0,0 if defined; # give me an tainted empty
+ string
    local(@words,$snippet,$field);

    s/^\s+//;
    while ($_ ne '') {
    $field = '';
    for (;;) {
        if (s/^"(([^"\\]|\\.)*)"//) {
        ($snippet = $1) =~ s#\\(.)#$1#g;
        }
        elsif (/^"/) {
        die "Unmatched double quote: $_\n";
        }
        elsif (s/^'(([^'\\]|\\.)*)'//) {
        ($snippet = $1) =~ s#\\(.)#$1#g;
        }
        elsif (/^'/) {
        die "Unmatched single quote: $_\n";
        }
        elsif (s/^\\(.)//) {
        $snippet = $1;
        }
        elsif (s/^([^\s\\'"]+)//) {
        $snippet = $1;
        }
        else {
        s/^\s+//;
        last;
        }
        $field .= $snippet;
    }
    push(@words, $field);
    }

    # this loop will retaint the variables
    foreach ( @words ) {
        $_ .= $tainted if defined;
    }
    @words;
}

[download]

The only problem with this is that if something calls shellwords.pl with several variables, but only one is tainted, then *all* returned variables will be tainted. Is this a problem? I shouldn't think so, but I'm not sure. Also, who the heck would I submit this to? There's no name in the script and it looks like it's part of the standard distribution.

Update: chromatic suggested that it could be submitted to Perl 5 Porters. Will do.

Update 2: Benjamin Goldberg replied that my goal was good, but suggested using the 're' pragma. I resubmitted the patch to p5p as follows:

--- shellwords.pl.orig  Tue May 21 10:04:07 2002
+++ shellwords.pl       Tue May 21 11:12:45 2002
@@ -17,6 +17,7 @@
     while ($_ ne '') {
        $field = '';
        for (;;) {
+        use re 'taint'; # leave strings tainted
            if (s/^"(([^"\\]|\\.)*)"//) {
                ($snippet = $1) =~ s#\\(.)#$1#g;
            }

[download]

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

In reply to A fix for shellwords.pl (leave tainted variables tainted) by Ovid
in thread variable I expect to be tainted isn't: possible explanations? by kudra

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.