https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7806
Bug ID: 7806
Summary: Tainting through concatenation with $^X does not taint
Product: Spamassassin
Version: 3.4.4
Hardware: PC
OS: Linux
Status: NEW
Severity: blocker
Priority: P2
Component: spamassassin
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: Undefined
Env: CentOS Linux, perl5.10.1, spamassassin invoked by MailScanner
Util.pm, sub taint_var is supposed to taint a variable by concatenating it with
$^X:
###########################################################################
sub taint_var {
my ($v) = @_;
return $v unless defined $v; # can't taint "undef"
# $^X is apparently "always tainted".
# Concatenating an empty tainted string taints the result.
return $v . substr($^X, 0, 0);
}
But it doesn't. Variables are not tainted by concatenation with $^X
The following implementation does indeed taint:
###########################################################################
my $tainted = undef;
sub taint_var {
my ($v) = @_;
return $v unless defined $v; # can't taint "undef"
# Create a handy tainted empty string
unless (defined $tainted) {
open my $fh, '<', \"" or die "Can't open: $!";
local $/;
$tainted= <$fh>;
}
# Concatenating an empty tainted string taints the result.
return $v . substr($tainted, 0, 0);
}
Rather than using $^X this approach creates a certainly tainted variable
$tainted only once and re-uses it whenever needed.
--
You are receiving this mail because:
You are the assignee for the bug.
