in reply to Re: Perl 5.8.0 PerlIO insecure dependency
in thread Perl 5.8.0 PerlIO insecure dependency

I don't think so. That would allow stuff like 
E:\>set TAINTED=crlf

E:\>perl -T -e"use PerlIO $ENV{TAINTED};"
Insecure dependency in eval while running with -T switch at G:/Perl/li
+b/PerlIO.pm line 22.
BEGIN failed--compilation aborted at -e line 1.

[download]
to slip through, when it clearly shouldn't.

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
** The third rule of perl club is a statement of fact: pod is sexy.

Replies are listed 'Best First'.
Re: no PerlIO $ENV{TAINTED};
by tachyon (Chancellor) on Apr 13, 2004 at 02:38 UTC

    Actually there is nothing wrong with the behaviour you would get with the patch and your test case (removing the -T to simulate the effect of the patch as crlf will match ^[\w:]+$ 

    [root@devel3 root]# TAINTED=crlf;export TAINTED
[root@devel3 root]# perl5.8.3 -e 'print $ENV{TAINTED},$/;'
crlf
[root@devel3 root]# perl5.8.3 -e 'use PerlIO $ENV{TAINTED};'
Can't locate PerlIO/crlf.pm in @INC (@INC contains: /usr/local/lib/per
+l5/5.8.3/i686-linux-thread-multi /usr/local/lib/perl5/5.8.3 /usr/loca
+l/lib/perl5/site_perl/5.8.3/i686-linux-thread-multi /usr/local/lib/pe
+rl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl .) at (eval 1) lin
+e 3.
[root@devel3 root]#

    [download]

    All that patching it to untaint \w: chars does is allow you to call an artitrary PerlIO::Widget::Whotnot. That module still has to exist or it will just explode.

    You could make a good argument for a patch like: 

    corak "No way hosay...." unless $layer =~ m/^([\w:]+)$/;
$layer = $1;
eval "....

    [download]

    cheers

    tachyon

[reply]
[d/l]
[select]
      That's kind of not the point, I think the value should remain tainted and the user should be made to untaint. A patch of $layer =~ s/[^\w:]//g; would take care of that.

      And btw, that regex is not bulletproof. "foo and exit" and a whole bunch of other nasties could slip by.

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]

        And btw, that regex is not bulletproof. "foo and exit" and a whole bunch of other nasties could slip by.

        Incorrect. Not unless \w has suddenly started to match spaces rather than just [A-Za-z0-9_]. Please show me *ANY* nasty that will pass through. Without spaces, && || ; , etc you have no statement separator you can get into that eval to let you add to the require.

        my @nasties = (
    'foo and exit',
    "foo\nand\nexit\n",
    "hello",
    "foo\000exit",
);

for my $layer(@nasties) {
    print $layer =~ m/^([\w:]+)$/ ? "OK $layer\n" : "ERR $layer\n";
}

        [download]

        cheers

        tachyon

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom