Re: [PATCH] Re: bug: Inline doesn't work in taint mode

[Tim Gim Yee]

On Tue, 6 Feb 2001, Brian Ingerson wrote:

> So back to the taint patch. I assume (not being a taint person) that the
> working end of the patch is:
> 
>     +    # Untaint.
>     +    $config =~ /^(.*)\z/s;
>     +    $config = $1;
> 
> Is that the only thing that needs fixing for Inline to be taint-safe?

That will get Inline past the taint-checking.  But I don't recommend it.

> If I'm missing the point and opening gaping security holes, I want to
> know that as well.

The problem is the above code untaints without validating the data.  I
mistakenly thought inserting a MD5 hash would work, but without it, you
need some other check.  The safest thing to do though is to avoid eval
'string' altogether and parse the config file yourself.

Actually, how about using Storable instead of Data::Dumper?


--- Inline-0.31/Inline.pm       Sat Jan 13 23:02:12 2001
+++ Inline.pm   Wed Feb  7 02:47:14 2001
@@ -10,6 +10,7 @@
 use Digest::MD5 qw(md5_hex);
 use Cwd qw(abs_path cwd);
 use FindBin;
+use Storable qw/store retrieve/;
 
 my %CONFIG = ();
 my @DATA_OBJS = ();
@@ -341,17 +342,14 @@
 
     $o->create_config_file("$DIRECTORY/config") if not -e "$DIRECTORY/config";
 
-    open CONFIG, "< $DIRECTORY/config"
-      or croak "Can't open ${DIRECTORY}config for input\n";
-    my $config = join '', <CONFIG>;
-    close CONFIG;
-
-    delete $main::{Inline::config::};
-    eval <<END;
-;package Inline::config;
-no strict;
-$config
-END
+    my $data = retrieve("$DIRECTORY/config")
+      or croak("Can't retrieve config from $DIRECTORY/config\n");
+
+    {
+       package Inline::config;
+       no strict 'refs';
+       *$_ = $data->{$_} for keys %$data;
+    }
 
     croak error_old_version 
       unless (defined $Inline::config::version and
@@ -417,23 +415,16 @@
        closedir LIB;
     }
     
-    require Data::Dumper;
-    local $Data::Dumper::Terse = 1;
-    local $Data::Dumper::Indent = 1;
-    my $languages = Data::Dumper::Dumper(\%languages);
-    my $types = Data::Dumper::Dumper(\%types);
-    my $modules = Data::Dumper::Dumper(\%modules);
-    my $suffixes = Data::Dumper::Dumper(\%suffixes);
-    
-    open CONFIG, "> $file" or croak "Can't open $file for output\n";
-    print CONFIG <<END;
-\$version = $Inline::VERSION;
-%languages = %{$languages};
-%types = %{$types};
-%modules = %{$modules};
-%suffixes = %{$suffixes};
-END
-    close CONFIG;
+    my $data = {
+       version   => \$Inline::VERSION,
+       languages => \%languages,
+       types     => \%types,
+       modules   => \%modules,
+       suffixes  => \%suffixes,
+    };
+
+    store($data, $file)
+      or croak("Can't store config in $file\n");
 }
 
 #==============================================================================


-- 
Tim Gim Yee
[EMAIL PROTECTED]