taint when encrypting

rtmhal has asked for the wisdom of the Perl Monks concerning the following question:

Found the solution!

I want to encrypt a random number but I am getting the message "Taint checks are turned on and your key is tainted." I can decrypt the data that was passed in but it fails when doing the encrypt. Thanks for any help. rtmhal


if ( $key =~ /(\w+)/ ) {
   $key = $1;
}

my $cipher2 = Crypt::CBC->new(
    -key    => $key,
    -cipher => 'Twofish'
);

$random_integer = int(rand(100000));
($random_integer) = $random_integer =~ /(\d+)/;
$encrypted_int = $cipher2->encrypt($1);
[download]

Comment on taint when encrypting Download Code

Replies are listed 'Best First'.
Re: taint when encrypting by kennethk (Abbot) on Jul 08, 2011 at 19:21 UTC
My guess based on your error message is that Taint mode is on and you are not untainting `$key`. If you naively trust the input (I don't know context), you can fix that with: `($key) = $key =~ /(.*)/;` inserted before your `$cypher2` declaration. However, if you are running in taint mode, you should likely be less trusting of your input data.	[reply] [d/l] [select]
Re^2: taint when encrypting by ww (Archbishop) on Jul 08, 2011 at 23:14 UTC
BUT, don't do that... unless you're the sole user; never make a typo; and can confidently rely on access security. Better, read the link that kennethk (++) posted.	[reply]
Re: taint when encrypting by Anonymous Monk on May 25, 2013 at 23:11 UTC
This is less for rtmhal than for anyone else who stumbles upon this problem. The issue is likely with Crypt::CBC. Version 2.31 had an issue where auto-generated salts were tainting the key. See here So the solution is to upgrade to Version 2.32.	[reply]