Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

utf8_heavy.pl, tainted and insecure dependency #7745

Closed
p5pRT opened this issue Jan 11, 2005 · 9 comments
Closed

utf8_heavy.pl, tainted and insecure dependency #7745

p5pRT opened this issue Jan 11, 2005 · 9 comments
Labels
distro-Linux security type-core type-library type-regex type-Unicode

Comments

@p5pRT
Copy link

p5pRT commented Jan 11, 2005

Migrated from rt.perl.org#33755 (status was 'rejected')

Searchable as RT33755$
@p5pRT
Copy link
Author

p5pRT commented Jan 11, 2005

From adelton@fi.muni.cz

Created by adelton@fi.muni.cz

Hello,

I have a fairly complex set of module that I try to write tests for.
I have -T in my *.t files. All of a sudden, my tests started to fail
with

  Insecure dependency in require while running with -T switch at
  /usr/lib/perl5/5.8.5/utf8_heavy.pl line 182.

The line 182 in utf8_heavy.pl is the line where

  $list = do $file;

is called. Okay, I never called utf8_heavy.pl myself, but digging
through the sources makes me think that it has something to do with
regular expressions and things like that. However, the problem
disappears when I run the program under debugger. So does the problem
disappear when I run perl -Iblib/arch ... instead of make test. That's
why I was not able to make a standalone test case.

Nevertheless, I changed the utf8_heavy.pl as follows

Inline Patch 
--- /usr/lib/perl5/5.8.5/utf8_heavy.pl	2004-10-12 18:54:58.000000000 +0200
+++ utf8_heavy.pl	2005-01-11 08:47:52.498218355 +0100
@@ -148,9 +148,17 @@
 	    ## The user-level way to access ToDigit() and ToFold()
 	    ## is to use Unicode::UCD.
             ##
+
+	     use Scalar::Util;
+	     if (Scalar::Util::tainted($type)) {
+	         print "Type [$type] is tainted\n";
+	     } else {
+	         print "Type [$type] is not tainted\n";
+	     }
             if ($type =~ /^To(Digit|Fold|Lower|Title|Upper)$/)
             {
                 $file = "unicore/To/$1.pl";
+	         print "File [$file] is tainted\n" if Scalar::Util::tainted($file);
                 ## would like to test to see if $file actually exists....
                 last GETFILE;
             }
@@ -179,6 +187,7 @@
 		return $Cache{$class, $file};
 	    }
 
+	    print "File [$file] is tainted\n" if Scalar::Util::tainted($file);
 	    $list = do $file;
 	}
and the output is

Type [ToLower] is not tainted
File [unicore/To/Lower.pl] is tainted
File [unicore/To/Lower.pl] is tainted

So I believe that this is a bug in Perl's tainting mechanism --
if I start with untainted $type and do

  if ($type =~ /^To(Digit|Fold|Lower|Title|Upper)$/) {
  $file = "unicore/To/$1.pl";
  }

the $file should not be tainted, IMO. Changing $1 to $+, leading to

  $file = "unicore/To/$+.pl";

makes the problem disappear.

Maybe this bug report will help someone remember what could be wrong
with Perl's tainting mechanism and $1? Similar problems were reported
by random people, Google shows

  http​://ipv6.he.net/forum/read.php?f=1&i=845&t=845
  http​://www.mail-archive.com/qpsmtpd@​perl.org/msg01505.html

and it seems that the problem only happens in very rare conditions
of complex modules.

Sincerely,

Jan Pazdziora
adelton@​fi.muni.cz

Perl Info 

Flags:
    category=core
    severity=medium

This perlbug was built using Perl v5.8.5 in the Red Hat build system.
It is being executed now by Perl v5.8.5 - Tue Oct 12 12:44:18 EDT 2004.

Site configuration information for perl v5.8.5:

Configured by Red Hat, Inc. at Tue Oct 12 12:44:18 EDT 2004.

Summary of my perl5 (revision 5 version 8 subversion 5) configuration:
  Platform:
    osname=linux, osvers=2.4.21-14.elsmp, archname=i386-linux-thread-multi
    uname='linux tweety.build.redhat.com 2.4.21-14.elsmp #1 smp wed apr 14 18:55:47 edt 2004 i686 i686 i386 gnulinux '
    config_args='-des -Doptimize=-O2 -g -pipe -m32 -march=i386 -mtune=pentium4 -Dversion=5.8.5 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dinstallprefix=/usr -Dprefix=/usr -Darchname=i386-linux -Dvendorprefix=/usr -Dsiteprefix=/usr -Duseshrplib -Dusethreads -Duseithreads -Duselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dinc_version_list=5.8.4 5.8.3 5.8.2 5.8.1 5.8.0'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2 -g -pipe -m32 -march=i386 -mtune=pentium4',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='3.4.2 20041006 (Red Hat 3.4.2-5)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.3.3.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.3.3'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.5:
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.5/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.5
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.4
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.3
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.2
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.1
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.0
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.5/5.8.5/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.5/5.8.5
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.5/5.8.4
    /usr/lib/perl5/site_perl/5.8.5/5.8.3
    /usr/lib/perl5/site_perl/5.8.5/5.8.2
    /usr/lib/perl5/site_perl/5.8.5/5.8.1
    /usr/lib/perl5/site_perl/5.8.5/5.8.0
    /usr/lib/perl5/site_perl/5.8.5
    /usr/lib/perl5/5.8.5/i386-linux-thread-multi
    /usr/lib/perl5/5.8.5
    /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.5
    /usr/lib/perl5/site_perl/5.8.4
    /usr/lib/perl5/site_perl/5.8.3
    /usr/lib/perl5/site_perl/5.8.2
    /usr/lib/perl5/site_perl/5.8.1
    /usr/lib/perl5/site_perl/5.8.0
    /usr/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.5
    /usr/lib/perl5/vendor_perl/5.8.4
    /usr/lib/perl5/vendor_perl/5.8.3
    /usr/lib/perl5/vendor_perl/5.8.2
    /usr/lib/perl5/vendor_perl/5.8.1
    /usr/lib/perl5/vendor_perl/5.8.0
    /usr/lib/perl5/vendor_perl
    .


Environment for perl v5.8.5:
    HOME=/home/adelton
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/lib/jre/bin:/home/adelton/bin:/usr/lib/jre/bin
    PERL5LIB=/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.5
    PERL_BADLANG (unset)
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Mar 25, 2010

From @iabyn

Regarding your taint bug report from 2005. Sorry, no-one's replied to it
before now, but better late than never!

Do still you have the ability to reproduce this issue, either with 5.8.5
or anything newer? If so, Could you add a couple of Dump statements to
utf8_heavy.pl in addition to to your existing debugging statements
mentioned in the original bug report; i.e. change

  if ($type =~ /^To(Digit|Fold|Lower|Title|Upper)$/)
  {
  $file = "unicore/To/$1.pl";

To
  use Devel​::Peek;
  Dump $type; Dump $file; Dump $1;
  if ($type =~ /^To(Digit|Fold|Lower|Title|Upper)$/)
  {
  Dump $type; Dump $file; Dump $1;
  $file = "unicore/To/$1.pl";
  Dump $type; Dump $file; Dump $1;

@p5pRT
Copy link
Author

p5pRT commented Mar 25, 2010

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Mar 26, 2010

From adelton@fi.muni.cz

On Thu, Mar 25, 2010 at 01​:36​:58PM -0700, Dave Mitchell via RT wrote​:

Regarding your taint bug report from 2005. Sorry, no-one's replied to it
before now, but better late than never!

Do still you have the ability to reproduce this issue, either with 5.8.5
or anything newer? If so, Could you add a couple of Dump statements to
utf8_heavy.pl in addition to to your existing debugging statements
mentioned in the original bug report; i.e. change

        if \($type =~ /^To\(Digit|Fold|Lower|Title|Upper\)$/\)
        \{
            $file = "unicore/To/$1\.pl";

To
use Devel​::Peek;
Dump $type; Dump $file; Dump $1;
if ($type =~ /^To(Digit|Fold|Lower|Title|Upper)$/)
{
Dump $type; Dump $file; Dump $1;
$file = "unicore/To/$1.pl";
Dump $type; Dump $file; Dump $1;

Dave,

I'm sorry but I no longer have access to the reproducer (I no longer
work with the company where I was debugging the issue) nor do I really
remember what the issue was or what perl modules I've been using back
then.

Looking at my perlbug report, I should have put more information about
my setup there even if it would not be possible to reproduce it on
your side, as it would at least allow me to remember what code it was
I was working on.

Sorry,

--

  Jan Pazdziora | adelton@​fi.muni.cz | http​://www.fi.muni.cz/~adelton/
.project​: Satellite, Spacewalk | Only self-confident people can be simple.

@p5pRT
Copy link
Author

p5pRT commented Mar 27, 2010

From @iabyn

On Fri, Mar 26, 2010 at 10​:55​:41AM +0100, Jan Pazdziora wrote​:

On Thu, Mar 25, 2010 at 01​:36​:58PM -0700, Dave Mitchell via RT wrote​:

Regarding your taint bug report from 2005. Sorry, no-one's replied to it
before now, but better late than never!

Do still you have the ability to reproduce this issue, either with 5.8.5
or anything newer? If so, Could you add a couple of Dump statements to
utf8_heavy.pl in addition to to your existing debugging statements
mentioned in the original bug report; i.e. change

        if \($type =~ /^To\(Digit|Fold|Lower|Title|Upper\)$/\)
        \{
            $file = "unicore/To/$1\.pl";

To
use Devel​::Peek;
Dump $type; Dump $file; Dump $1;
if ($type =~ /^To(Digit|Fold|Lower|Title|Upper)$/)
{
Dump $type; Dump $file; Dump $1;
$file = "unicore/To/$1.pl";
Dump $type; Dump $file; Dump $1;

Dave,

I'm sorry but I no longer have access to the reproducer (I no longer
work with the company where I was debugging the issue) nor do I really
remember what the issue was or what perl modules I've been using back
then.

Looking at my perlbug report, I should have put more information about
my setup there even if it would not be possible to reproduce it on
your side, as it would at least allow me to remember what code it was
I was working on.

Ah well, not to worry. I'll mark the ticket as stalled.

--
The Enterprise successfully ferries an alien VIP from one place to another
without serious incident.
  -- Things That Never Happen in "Star Trek" #7

@p5pRT
Copy link
Author

p5pRT commented Mar 27, 2010

@iabyn - Status changed from 'open' to 'stalled'

@p5pRT
Copy link
Author

p5pRT commented Jul 7, 2016

From @dcollinsn

Based on his -V, I'm wondering if there was some interaction between incompatible versions of modules. Perhaps that why make test behaved differently than calling the test program directly. In any event, I can't reproduce this anywhere going back to 5.8.5 (or even earlier). Since we have no hope of reproducing, I intend to close this.

@p5pRT
Copy link
Author

p5pRT commented Jul 7, 2016

The RT System itself - Status changed from 'stalled' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jul 12, 2016

@dcollinsn - Status changed from 'open' to 'rejected'

@p5pRT p5pRT closed this as completed Jul 12, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-Linux security type-core type-library type-regex type-Unicode
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT