notes and fixes for tainted Perl variables

doc/ChangeLog

@@ -30,6 +30,8 @@ FreeRADIUS 2.2.10 Monday 17 Jul 2017 09:00:00 EDT, urgency=high
 	  Fix by Ean Pasternak.
 	* Allow non-FIPS for MD5.
 	  Fix by Ean Pasternak.
+	* For rlm_perl, document: perl_flags = "-T", and set all
+	  variables to "tainted".
 
 FreeRADIUS 2.2.9 Wednesday 30 Sep 2015 17:00:00 EDT, urgency=medium
 	Feature improvements

raddb/modules/perl

@@ -13,6 +13,17 @@ perl {
 	#
 	module = ${confdir}/example.pl
 
+	#
+	#  Options which are passed to the Perl interpreter.
+	#  These are (mostly) the same options as are passed
+	#  to the "perl" command line.
+	#
+	#  The most useful flag is "-T".  This sets tainting on.  And
+	#  as of 3.0.18, makes it impossible to leverage bad
+	#  User-Names into local command execution.
+	#
+	perl_flags = "-T"
+
 	#
 	#  The following hashes are given to the module and
         #  filled with value-pairs (Attribute names and values)

src/modules/rlm_perl/rlm_perl.c

@@ -542,6 +542,7 @@ static void perl_store_vps(VALUE_PAIR *vp, HV *rad_hv)
 {
 	VALUE_PAIR	*nvp, *vpa, *vpn;
 	AV		*av;
+	SV		*sv;
 	char		namebuf[256];
 	const char 	*name;
 	char	    	buffer[1024];
@@ -581,15 +582,20 @@ static void perl_store_vps(VALUE_PAIR *vp, HV *rad_hv)
 			for (vpn = vpa; vpn != NULL; vpn = vpn->next) {
 				len = vp_prints_value(buffer, sizeof(buffer),
 						vpn, FALSE);
-				av_push(av, newSVpv(buffer, len));
+				sv = newSVpv(buffer, len);
+				if (!sv) continue;
+				SvTAINTED_on(sv);
+				av_push(av, sv);
 			}
 			hv_store(rad_hv, name, namelen,
 					newRV_noinc((SV *) av), 0);
 		} else {
 			len = vp_prints_value(buffer, sizeof(buffer),
 					      vpa, FALSE);
+			sv = newSVpv(buffer, len);
+			if (sv) SvTAINTED_on(sv);
 			hv_store(rad_hv, name, namelen,
-				 newSVpv(buffer, len), 0);
+				 sv, 0);
 		}
 
 		pairfree(&vpa);