On Sat, 2005-10-29 at 16:07 +1000, Brendan O'Dea wrote:
> See: http://bugs.debian.org/303308 .
>
> The following patch appears to correct the problem, although I'm not
> sufficiently versed in the taint implementation to say that it's the
> correct fix. An alternate fix is included in the bug report.
My reason for patching mg.c is that anywhere mg_get is called with
PL_tainted == 1, this corruption could occur. Here's another test case,
which patching scope.c doesn't fix:
#!/usr/bin/perl -Tw
my $tainted = substr($ENV{'PATH'}, 0, 0);
"foo" =~ m/(.*)/;
my $s = $1 . $tainted;
"bar" =~ m/(.$tainted*)/;
my $bar = $1;
my $test = 'print "OK\n"' . $tainted;
$test =~ m/(.*)/;
$test = $1; # try to untaint
eval($test);
Chris
> --bod
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
