See: http://bugs.debian.org/303308 .
The issue described concerns $1 getting tainted when a __WARN__ handler
is called (undefined value) during the execution of an expression which
contains a tainted value. After this point, $1 is always tainted.
>From what I can tell, $1 is being tainted from Perl_save_re_context,
invoked prior to the warn subroutine being called.
The following patch appears to correct the problem, although I'm not
sufficiently versed in the taint implementation to say that it's the
correct fix. An alternate fix is included in the bug report.
Thoughts?
--bod
[Test case from the bug report:]
#!/usr/bin/perl -Tw
$SIG{'__WARN__'} = sub {warn $_[0]};
my $tainted = substr($ENV{'PATH'}, 0, 0);
my $pat = "Testing %s\n" . $tainted;
"foo" =~ m/(.*)/;
my $foo = $1;
my $s = sprintf($pat, undef); # << corrupts $1!!
"bar" =~ m/(.$tainted*)/;
my $bar = $1;
my $test = 'print "OK\n"' . $tainted;
$test =~ m/(.*)/;
$test = $1; # try to untaint
eval($test);
[Patch:]
diff -ur ../perl-5.8.7.broken/scope.c ../perl-5.8.7/scope.c
--- ../perl-5.8.7.broken/scope.c 2005-01-20 10:56:27.000000000 +1100
+++ ../perl-5.8.7/scope.c 2005-10-29 15:55:08.697604021 +1000
@@ -210,6 +210,7 @@
if (SvGMAGICAL(osv)) {
MAGIC* mg;
bool oldtainted = PL_tainted;
+ TAINT_NOT;
mg_get(osv); /* note, can croak! */
if (PL_tainting && PL_tainted &&
(mg = mg_find(osv, PERL_MAGIC_taint))) {
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
