Debian Bug report logs - #411786
tainted taints utf8 substitution result

version graph

Package: perl; Maintainer for perl is Niko Tyni <ntyni@debian.org>; Source for perl is src:perl.

Reported by: Joey Hess <joeyh@debian.org>

Date: Tue, 20 Feb 2007 22:57:01 UTC

Severity: normal

Tags: fixed-upstream

Found in version perl/5.8.8-7

Fixed in version perl/5.14.0-1

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Forwarded to http://rt.perl.org/rt3/Ticket/Display.html?id=72360

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#411786; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: more taint checking breakage, with ikiwiki
Date: Tue, 20 Feb 2007 17:53:51 -0500
[Message part 1 (text/plain, inline)]
Package: perl
Version: 5.8.8-7
Severity: normal

I have some code that looks like this:

sub dirname ($) { #{{{
        my $file=shift;

	use Scalar::Util;
        print STDERR "in tainted: ".Scalar::Util::tainted($file)."\n";
        $file=~s!/*[^/]+$!!;
        print STDERR "out tainted: ".Scalar::Util::tainted($file)."\n";
        return $file;
} #}}}

And I was able to get this output:

in tainted: 0
out tainted: 0
in tainted: 0
out tainted: 1

So perl is randomly setting the taint flag.

I've attached an 750 line test case in a tarball. Sorry that's not
smaller or simpler, but I already boiled it down from the entirty of
ikiwiki this. :-)

joey@kodama:~/tmp/for-joeyh/ikiwiki>rm -rf out; ./ikiwiki.in --templatedir=templates --underlaydir=empty --plugin=wikitext --plugin=htmlscrubber -v wiki out --rebuild
in tainted: 0
out tainted: 0
in tainted: 0
out tainted: 1
Insecure dependency in mkdir while running with -T switch at IkiWiki.pm line 282.

A few things that hide the problem:

* Removing either of the --plugin switches, even though both files they
  load are minimal and do nothing.
* In IkiWiki/Render.pm, line 62, commenting out the use of decode_utf8.
  Suggests that this might be a utf8 flag vs taint flag mixup?

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages perl depends on:
ii  libc6                       2.3.6.ds1-11 GNU C Library: Shared libraries
ii  libdb4.4                    4.4.20-8     Berkeley v4.4 Database Libraries [
ii  libgdbm3                    1.8.3-3      GNU dbm database routines (runtime
ii  perl-base                   5.8.8-7      The Pathologically Eclectic Rubbis
ii  perl-modules                5.8.8-7      Core Perl modules

Versions of packages perl recommends:
ii  perl-doc                      5.8.8-7    Perl documentation

-- no debconf information

-- 
see shy jo
[testcase.tgz (application/x-gtar, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#411786; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #10 received at 411786@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 411786@bugs.debian.org
Subject: bug still present
Date: Mon, 17 Dec 2007 19:07:02 -0500
[Message part 1 (text/plain, inline)]
The test case still works with v5.8.8. Paweł Tęcza reported that he saw
this bug in the wild with ikiwiki 2.15 and the perl in Ubuntu gutsy.

I think I'm going to have to start disabling taint mode in production
versions of my code due to this bug.

I suspect that this bug and #376329 are related, in both cases perl
randomly sets flags of a scalar when a regexp operates on the scalar.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#411786; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #15 received at 411786@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 411786@bugs.debian.org
Subject: still reproducible
Date: Thu, 29 May 2008 14:56:33 -0400
[Message part 1 (text/plain, inline)]
The testcase still works with perl 5.10.0

Have I mentioned how much not being able to use perl's taint checking
*sucks*? :-( :-( :-(

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#411786; Package perl. (Mon, 25 Jan 2010 20:21:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Mon, 25 Jan 2010 20:21:09 GMT) Full text and rfc822 format available.

Message #20 received at 411786@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: perlbug@perl.org
Cc: 411786@bugs.debian.org
Subject: tainted $@ taints utf8 substitution result
Date: Mon, 25 Jan 2010 22:16:39 +0200
This is a bug report for perl from Niko Tyni <ntyni@debian.org>,
generated with the help of perlbug 1.39 running under perl 5.11.4.


-----------------------------------------------------------------
When $@ is tainted, the result of a regexp substitution on an
utf8 string becomes tainted too for no apparent reason.

Seen on at least from 5.8.8 up to current blead.

#!perl -T
use Scalar::Util q/tainted/;
$@=$ENV{HOME}; # taint errsv
$f = "out/abc\x{263A}"; # set the utf8 flag
print tainted($f), "\n";
$f =~s!/*[^/]+$!!;
print tainted($f), "\n";
__END__

gives 

0
1

when I'd expect

0
0

(Originally reported as http://bugs.debian.org/411786 ) 

-----------------------------------------------------------------
---
Flags:
    category=core
    severity=low
---
Site configuration information for perl 5.11.4:

Configured by niko at Mon Jan 25 19:04:36 EET 2010.

Summary of my perl5 (revision 5 version 11 subversion 4) configuration:
  Commit id: fe61459e95657c432074058bd8854fec03559335
  Platform:
    osname=linux, osvers=2.6.32-trunk-amd64, archname=x86_64-linux-gnu-thread-multi
    uname='linux madeleine 2.6.32-trunk-amd64 #1 smp sun jan 10 22:40:40 utc 2010 x86_64 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.11 -Darchlib=/usr/lib/perl/5.11 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.11.4 -Dsitearch=/usr/local/lib/perl/5.11.4 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=both -Doptimize=-O0 -Dusedevel -Uuseshrplib -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O0 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.4.3 20100108 (prerelease)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.10.2.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.10.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O0 -g -L/usr/local/lib -fstack-protector'

Locally applied patches:
    

---
@INC for perl 5.11.4:
    lib
    /usr/local/lib/perl/5.11.4
    /usr/local/share/perl/5.11.4
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.11
    /usr/share/perl/5.11
    .

---
Environment for perl 5.11.4:
    HOME=/home/niko
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LC_CTYPE=fi_FI.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/niko/bin:/home/niko/bin:/home/niko/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin:/sbin:/usr/sbin
    PERL_BADLANG (unset)
    SHELL=/bin/zsh




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#411786; Package perl. (Mon, 25 Jan 2010 20:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Mon, 25 Jan 2010 20:33:02 GMT) Full text and rfc822 format available.

Message #25 received at 411786@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Joey Hess <joeyh@debian.org>, 411786@bugs.debian.org
Subject: Re: Bug#411786: more taint checking breakage, with ikiwiki
Date: Mon, 25 Jan 2010 22:31:12 +0200
forwarded 411786 http://rt.perl.org/rt3/Ticket/Display.html?id=72360
thanks

On Tue, Feb 20, 2007 at 05:53:51PM -0500, Joey Hess wrote:
> Package: perl
> Version: 5.8.8-7
> Severity: normal

> 	use Scalar::Util;
>         print STDERR "in tainted: ".Scalar::Util::tainted($file)."\n";
>         $file=~s!/*[^/]+$!!;
>         print STDERR "out tainted: ".Scalar::Util::tainted($file)."\n";

> in tainted: 0
> out tainted: 1
> 
> So perl is randomly setting the taint flag.
> 
> I've attached an 750 line test case in a tarball. Sorry that's not
> smaller or simpler, but I already boiled it down from the entirty of
> ikiwiki this. :-)

I was able to reduce this to

#!/usr/bin/perl -T

print "1..1\n";
package main;
use HTML::Parser;
use Scalar::Util q/tainted/;
use Encode;
my $p = HTML::Parser->new;
$p->parse($ENV{HOME});
$p->eof;
$f = decode_utf8("out/abc");
$f =~s!/*[^/]+$!!;
print Scalar::Util::tainted($f) ? "not ok 1\n" : "ok 1\n";
__END__

which is fixed with Perl 5.10.1; bisecting points at
 http://perl5.git.perl.org/perl.git/commit/8433848b1

However, it turns out that the real problem is that a tainted $@
variable taints the substitution result, and the above change "just"
fixes a case of erroneous tainting of $@ in Perl_call_method() (triggered
in our testcase by XS parts of HTML::Parser).

This snippet still shows the bug on 5.10.1 and current bleadperl:

#!perl -T
use Scalar::Util q/tainted/;
eval { die $ENV{HOME} }; # taint errsv
$f = "out/abc\x{263A}";
print tainted($f), "\n";
$f =~s!/*[^/]+$!!;
print tainted($f), "\n";
__END__

so I've filed upstream ticket [perl #72360].
-- 
Niko Tyni   ntyni@debian.org




Set Bug forwarded-to-address to 'http://rt.perl.org/rt3/Ticket/Display.html?id=72360'. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Mon, 25 Jan 2010 20:33:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'tainted taints utf8 substitution result' from 'more taint checking breakage, with ikiwiki' Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sat, 21 May 2011 18:21:06 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 30 Jun 2011 16:36:20 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions perl/5.14.0-1. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 30 Jun 2011 18:33:14 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Sun, 13 Nov 2011 17:09:29 GMT) Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. (Sun, 13 Nov 2011 17:09:29 GMT) Full text and rfc822 format available.

Message #38 received at 411786-done@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 536844-done@bugs.debian.org, 358518-done@bugs.debian.org, 589730-done@bugs.debian.org, 593764-done@bugs.debian.org, 645989-done@bugs.debian.org, 149848-done@bugs.debian.org, 275357-done@bugs.debian.org, 373698-done@bugs.debian.org, 376329-done@bugs.debian.org, 411786-done@bugs.debian.org, 513047-done@bugs.debian.org, 574156-done@bugs.debian.org, 580356-done@bugs.debian.org, 582380-done@bugs.debian.org, 600376-done@bugs.debian.org, 616288-done@bugs.debian.org, 645790-done@bugs.debian.org, 646016-done@bugs.debian.org, 126238-done@bugs.debian.org, 469402-done@bugs.debian.org, 581259-done@bugs.debian.org, 611854-done@bugs.debian.org
Subject: Fixed in perl 5.14
Date: Sun, 13 Nov 2011 17:08:29 +0000
I believe that these bugs have all been fixed in perl 5.14, which
has now migrated from experimental to unstable.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 12 Dec 2011 07:42:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 11:20:40 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.