Re: variable I expect to be tainted isn't: possible explanations?

Your $two isn't tainted because it is not really user data or derived from user data (but it is set based upon the presence of the option). Try changing it to accept a string parameter to see what happens:

GetOptions('b=s' => \$two);
...

./script.pl -b foo
[download]

I'm not sure why your CGI param is not tainted, mine is (CGI.pm version 2.752).

-derby

update: As for the CGI param not being tainted, when you run under "offline mode", CGI reads from STDIN and passes the data to shellwords (shellwords.pl). shellwords parses the passed data via regex and builds the return value via regex matches - effectively untainting the param. As others have shown, by passing the param on the cmdline (instead of offline), shows the param as tainted.

Comment on Re: variable I expect to be tainted isn't: possible explanations? Download Code

Replies are listed 'Best First'.
(kudra: getopt correction) Re2: variable I expect to be tainted isn't: possible explanations? by kudra (Vicar) on May 21, 2002 at 12:44 UTC
You're right of course. I added the command-line check in quickly later. Making the change suggested by derby shows $two to be tainted (on one of the systems). I tested with Sifmole's syntax (previously I'd just used offline mode) and that shows the variable to be tainted. So this appears to be applicable to just CGI paramater gathering, and only in offline mode. And now derby's provided a nice logical explanation--thanks all! I'm still not convinced it should be leaving them untainted rather than explicitly retainting them, but at least now I know why this is happening. (CGI version is 2.56 with perl 5.6.0 and 2.80 with perl 5.7.3, which is the system I tested the second time.) Update too many updates to mention... this node was almost like the chatterbox.	[reply]
A fix for shellwords.pl (leave tainted variables tainted) by Ovid (Cardinal) on May 21, 2002 at 16:27 UTC
kudra wrote: I'm still not convinced it should be leaving them untainted rather than explicitly retainting them, but at least now I know why this is happening. I think you're right. These variables should be left tainted. The following hack will leave them tainted. sub shellwords { package shellwords; local($_) = join('', @_) if @_; my $tainted = substr $_,0,0 if defined; # give me an tainted empty + string local(@words,$snippet,$field); s/^\s+//; while ($_ ne '') { $field = ''; for (;;) { if (s/^"(([^"\\]\|\\.))"//) { ($snippet = $1) =~ s#\\(.)#$1#g; } elsif (/^"/) { die "Unmatched double quote: $_\n"; } elsif (s/^'(([^'\\]\|\\.))'//) { ($snippet = $1) =~ s#\\(.)#$1#g; } elsif (/^'/) { die "Unmatched single quote: $_\n"; } elsif (s/^\\(.)//) { $snippet = $1; } elsif (s/^([^\s\\'"]+)//) { $snippet = $1; } else { s/^\s+//; last; } $field .= $snippet; } push(@words, $field); } # this loop will retaint the variables foreach ( @words ) { $_ .= $tainted if defined; } @words; } [download] The only problem with this is that if something calls shellwords.pl with several variables, but only one is tainted, then all returned variables will be tainted. Is this a problem? I shouldn't think so, but I'm not sure. Also, who the heck would I submit this to? There's no name in the script and it looks like it's part of the standard distribution. Update: chromatic suggested that it could be submitted to Perl 5 Porters. Will do. Update 2: Benjamin Goldberg replied that my goal was good, but suggested using the 're' pragma. I resubmitted the patch to p5p as follows: `--- shellwords.pl.orig Tue May 21 10:04:07 2002 +++ shellwords.pl Tue May 21 11:12:45 2002 @@ -17,6 +17,7 @@ while ($_ ne '') { $field = ''; for (;;) { + use re 'taint'; # leave strings tainted if (s/^"(([^"\\]\|\\.)*)"//) { ($snippet = $1) =~ s#\\(.)#$1#g; }` [download] Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply] [d/l] [select]