Re: Problems with Taint corruption in 5.8.7

I think I have found the problem detailed here, read below for what was
discovered.

On Tue, 2005-06-21 at 16:29 -0400, Ryan Anderson wrote:
> I've been running into a problem with taint checks failing in an> unexpected way under load.> > This is running inside mod-perl, but I don't believe it has anything to> do with mod-perl, per se, other than perhaps the interpreter lives a bit> longer than the average.> > I am actually running the Debian GNU/Linux (i386) package of 5.8.7-3,> but a very cursory look at the diffstat of changes makes me think that> it is not very divergent from mainline 5.8.7.> > With that said, the Debian bug entry is at http://bugs.debian.org/303308> > On to the more detailed problem description:> > The following snippet of code, when run in taint mode, sometimes fails> with a taint error:> > 	$page =~ tr/A-Z/a-z/;> 	$page =~ tr/a-z0-9//cd;> > 	$page =~ m/^([A-Z0-9]*)$/i;> > 	$page = $1;> > 	my $ev = sprintf 'require ACI::Forms::%s; $self = new ACI::Forms::%s($q);', $page, $page;> > 	$l->log('info',"page (value = '%s') is tainted when about to eval '%s'",$page,$ev)> 		if is_tainted($page);> > 	$l->log('info',"ev (value = '%s') is tainted when about to eval for page '%s'",$ev,$page)> 		if is_tainted($ev);> > 	eval $ev;> > 	if ($@) {> 		$l->log('err','Tried to eval %s, got %s',$ev,$@);> 		return undef;> 	}> > Specifically, the eval $ev; line fails.

This code runs in a module that lacks any mention of "use locale;".

In fact, as far as I can tell, the entire codebase that this is part of
does not say "use locale;" at any point.  (We do call "setlocale" to use
gettext, however.)

If I put a "use locale;" in the module that this code is from, I can
guarantee a taint error on every call.

The perllocale documentation seems to suggest that the "i" flag to a
regular expression shouldn't cause $1, $2, ... etc to remain tainted (or
to become tainted), but that seems to be the case here.  Obviously, if
the "i" flag internally uses \L, \U, etc, that would explain the issue.
The documentation, however, is misleading on that point.

The other, remaining aspect here is that the state of "locale" use may
be getting modified invisibly somewhere.  At this point, I can't claim
to have any idea where, or if it is in a shared module.  In any case, I
made the obvious fix to the above code to remove the need for /i and I
will then run this in an exhaustive test to try and verify that the
error is actually gone.



-- 
Ryan Anderson
AutoWeb Communications, Inc.
email: r...@autoweb.net