On Sat, 2005-10-29 at 16:07 +1000, Brendan O'Dea wrote: > See: http://bugs.debian.org/303308 . > > The following patch appears to correct the problem, although I'm not > sufficiently versed in the taint implementation to say that it's the > correct fix. An alternate fix is included in the bug report.
My reason for patching mg.c is that anywhere mg_get is called with PL_tainted == 1, this corruption could occur. Here's another test case, which patching scope.c doesn't fix: #!/usr/bin/perl -Tw my $tainted = substr($ENV{'PATH'}, 0, 0); "foo" =~ m/(.*)/; my $s = $1 . $tainted; "bar" =~ m/(.$tainted*)/; my $bar = $1; my $test = 'print "OK\n"' . $tainted; $test =~ m/(.*)/; $test = $1; # try to untaint eval($test); Chris > --bod -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]