I was working on some code that looked an awful lot like
and the open line blew up with a taint violation.my $file = $self->{Filename}; # This is detainted early on my $new_ext = ".new"; # This cannot be tainted my $new = $self->{Filename} . $new_ext; # Not tainted open NEW, "> $new" or die "Couldn't open $new : $!";
I was unable to eyeball the situation and find my mistake so I added the is_tainted function from perlsec and rewrote the code to look like
and this told me that $new_ext was tainted. My understanding of the taint rules says this is impossible - data hard coded in the program cannot be tainted.my $file = $self->{Filename}; # This is detainted early on my $new_ext = ".new"; # This cannot be tainted my $new = $self->{Filename} . $new_ext; # Not tainted if ( is_tainted( $new ) ) { printf STDERR "%s is tainted by %s\n", $new, is_tainted( $file ) ? $file : $new_ext; } open NEW, "> $new" or die "Couldn't open $new : $!";
Faced with nonsensical errors, I will quickly resort to ����nsensical solutions and reworked the code to look like
and the taint violation went away. According to perlsec, the only way to detaint data is to send it through a regex and reference sub-expressions ( ie, $1, $2 ... ). I have not done that. I did a simple assignment, which is supposed to preserve the taint.my $file = $self->{Filename}; # This is detainted early on my $new_ext = ".new"; # This cannot be tainted my $new = $file . $new_ext; # Not tainted if ( is_tainted( $new ) ) { printf STDERR "%s is tainted by %s\n", $new, is_tainted( $file ) ? $file : $new_ext; } open NEW, "> $new" or die "Couldn't open $new : $!";
However, in studying the code I realized my original test was not quite correct - I was testing $file for taintedness when $new used $self->{Filename}. A quick examination of the source showed the $self->{Filename} is being detainted. Since being nonsensical had fixed the problem, I tried something equally nonsensical.
and it told me the object was tainted. How can an object be tainted and, having been tainted, how do I detaint it? If I try to send it through a regex, the reference will be stringified and it will never refernce again. I still am uncertain how it got tainted in the first place.my $file = $self->{Filename}; # This is detainted early on my $new_ext = ".new"; # This cannot be tainted my $new = $file . $new_ext; # Not tainted if ( is_tainted( $self ) ) { printf STDERR "\$self ( %s ) is\n", ref( $self ); } open NEW, "> $new" or die "Couldn't open $new : $!";
I have hacked into the wee hours of the morning and was able to generate more data, but I still am unable to make sense of it.
The object getting tainted is being embedded in another object something like this
A few more debug statements told me the $TREE is not tainted but $self->{VFILE} is. I am still confused - if the data is not tainted, how can an assignment taint it? Oh, further investigation shows everything stored in the hash ref is tainted, but none of the originating data is. This is, I intuit, the clue.$self = { NAME => $name, HEAD => $TREE->HEAD, RCSDIR => $TREE->RCSDIR, ETCDIR => $TREE->ETCDIR, LOGOBJ => $logfile, FILE => $file, SEC => $param{sec}, LIB => $param{lib}, VFILE => $TREE }; # This is the object of interest
Any suggestions? Any pointers to documentation outside of perlsec to help me understand? Advanced debugging tricks to make perl confess its taint? A well-applied two-by-four to my head?
In reply to I am so tainted by mikfire
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |