Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

shouldn't return value from MIME::Base64 decode_base64 be tainted? 
#!/usr/bin/perl -T --

use strict;
use warnings;

use MIME::Base64;
use Scalar::Util qw' tainted ';

print 'tainted ', tainted($ENV{PATH}),"\n";
print 'enc ', tainted(encode_base64($ENV{PATH})),"\n";
print 'dec ', tainted(decode_base64(encode_base64($ENV{PATH}))),"\n";
__END__
tainted 1
enc 0
dec 0

[download]
I can understand if encode_base64 returns untainted results, but not decode_base64

Replies are listed 'Best First'.
Re: MIME::Base64 decode_base64 not tainted
by Fletch (Bishop) on Aug 04, 2008 at 12:57 UTC

    Oooh, that's actually a pretty good question. I could see not changing the default behavior (and maybe adding a warning enabled by default if tainting is enabled), and then have an option ($MIME::Base64::PRESERVE_TAINT) or a separate sub (decode_base64_tainted( $blah )) that does preserve taintedness on the returned value. At any rate that's probably worth running past the author and/or p5p.

    The cake is a lie.
    The cake is a lie.
    The cake is a lie.

[reply]
[d/l]
[select]
Re: MIME::Base64 decode_base64 not tainted
by rowdog (Curate) on Aug 05, 2008 at 07:30 UTC

    I don't know the answer here but I did a perldoc -m MIME::Base64 and I see it's going through XS (at least on my machine). Now, of course C has no concept of tainting so when the C variable is copied from the tainted Perl variable and is then returned, it is returned as a copy of the C variable and returned without the tainted flag. (Is it called a flag?)

    If my theory is right, I would think that lots of XS modules could have this issue.

[reply]
      It's very similar with the problem that XS has with the UTF8 flag. It's a common mistake to treat strings internally encoded as iso-latin-1 no differently than strings internally encoded as utf-8, and to lose that info when passing derived strings back to Perl.
[reply]

Back to Seekers of Perl Wisdom