diff --git a/doc/ChangeLog b/doc/ChangeLog index c4afea82cfd7..14a19cd987c7 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -30,6 +30,8 @@ FreeRADIUS 2.2.10 Monday 17 Jul 2017 09:00:00 EDT, urgency=high Fix by Ean Pasternak. * Allow non-FIPS for MD5. Fix by Ean Pasternak. + * For rlm_perl, document: perl_flags = "-T", and set all + variables to "tainted". FreeRADIUS 2.2.9 Wednesday 30 Sep 2015 17:00:00 EDT, urgency=medium Feature improvements diff --git a/raddb/modules/perl b/raddb/modules/perl index 69ad3076119e..8245b6c519ab 100644 --- a/raddb/modules/perl +++ b/raddb/modules/perl @@ -13,6 +13,17 @@ perl { # module = ${confdir}/example.pl + # + # Options which are passed to the Perl interpreter. + # These are (mostly) the same options as are passed + # to the "perl" command line. + # + # The most useful flag is "-T". This sets tainting on. And + # as of 3.0.18, makes it impossible to leverage bad + # User-Names into local command execution. + # + perl_flags = "-T" + # # The following hashes are given to the module and # filled with value-pairs (Attribute names and values) diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c index 21cb610eea15..dffd801d2f98 100644 --- a/src/modules/rlm_perl/rlm_perl.c +++ b/src/modules/rlm_perl/rlm_perl.c @@ -542,6 +542,7 @@ static void perl_store_vps(VALUE_PAIR *vp, HV *rad_hv) { VALUE_PAIR *nvp, *vpa, *vpn; AV *av; + SV *sv; char namebuf[256]; const char *name; char buffer[1024]; @@ -581,15 +582,20 @@ static void perl_store_vps(VALUE_PAIR *vp, HV *rad_hv) for (vpn = vpa; vpn != NULL; vpn = vpn->next) { len = vp_prints_value(buffer, sizeof(buffer), vpn, FALSE); - av_push(av, newSVpv(buffer, len)); + sv = newSVpv(buffer, len); + if (!sv) continue; + SvTAINTED_on(sv); + av_push(av, sv); } hv_store(rad_hv, name, namelen, newRV_noinc((SV *) av), 0); } else { len = vp_prints_value(buffer, sizeof(buffer), vpa, FALSE); + sv = newSVpv(buffer, len); + if (sv) SvTAINTED_on(sv); hv_store(rad_hv, name, namelen, - newSVpv(buffer, len), 0); + sv, 0); } pairfree(&vpa);