Martin J. Evans wrote: > Martin J. Evans wrote: >> Hi, >> >> I've spent some time on this today and I am getting nowhere. Before I >> redouble my efforts I thought I'd post here just in case anything rings >> a bell with someone. >> >> We are using the latest DBI and DBD::Oracle to get data from an Oracle >> data. All data is retrieved via reference cursor returned from a >> function or procedure. When our application starts work there is no >> problem but part way through all of the returned data is inexplicably >> tainted. This is a real PITA because of bugs in Locale::MakeText >> (http://rt.cpan.org/Public/Bug/Display.html?id=40727) via the Perl bug >> re pos not updated on \G in regexps >> (http://rt.perl.org/rt3/Public/Bug/Display.html?id=27344) and in general >> because some DB returned data is used to create filenames and because it >> prevents us using -T (instead we are having to run -t). >> >> We are running the perl script as root but it makes no difference run as >> a normal user. When tainted data is returned TaintIn, TaintOut and Taint >> are all false on the connection handle and the statement handles are >> created a fresh for each procedure/function call. >> >> I've tried with the Ubuntu 9.10 supplied 5.10 and a separate 5.10.1 I >> built - no difference. >> >> Any ideas where to go next? >> >> Thanks >> >> Martin >> >> > > I forgot to mention I stuck an printf and abort in _get_fbav where > output data is tainted and this never seems to get called. However, my > retrieved data is still tainted. > > Martin > >
For those interested I've finally tracked this down and although there is some logic to it there seems to be a worrying change in behaviour. If you are using the latest DBI and Perl 5.10.0 or 5.10.1 and running in taint mode (but have not set DBI's Taint, TainTIn, TaintOut) then use tainted strings in the SQL you issue the resulting data is tainted. All we were doing is adding $0 as a comment to the end of the SQL e.g., like this: select * from table -- myprogram.pl but $0 is tainted and so all data coming back from the select is tainted. We moved our application from Perl 5.8.8 to an ubuntu box running 5.10.0 a few weeks ago but did not notice this problem until late last week. This did not occur for us on 5.8.8 on another machine. I've no idea what is tainting the returned data but this is reproducible for us here is a small amount of perl. Martin -- Martin J. Evans Easysoft Limited http://www.easysoft.com
