In perl.git, the branch blead has been updated <http://perl5.git.perl.org/perl.git/commitdiff/64ff300be0f7714585466af5bb87b2e37db5082a?hp=fd26b6f0c4deeadd937bf2849a61769458daf368>
- Log ----------------------------------------------------------------- commit 64ff300be0f7714585466af5bb87b2e37db5082a Author: Father Chrysostomos <[email protected]> Date: Sun Aug 31 14:10:45 2014 -0700 [perl #122669] Donât taint at compile time #!perl -T # tainted constant use constant K=>$^X; # Just reading the constant for the sake of folding can enabled # taintedness at compile time. 0 if K; # Taintedness is still on when the âstrict.pmâ SV is created, so # require croaks on it (âInsecure dependencyâ). use strict; The fix is simply not to propagate taintedness at compile time. Hence, the value of K will still be tainted at run time (require(K) croaks), but just reading the value of K at compile time wonât taint subsequent string literals (or barewords treated as strings). âCompile timeâ here is relative: Taintedness still wafts about as usual when BEGIN blocks are executed, because code is actually run- ning. Itâs when code is being parsed that propagation is disabled. The reason taint propagation could span across statements at compile time was that *execution* of a new statement resets taintedness, whereas parsing is oblivious to it. M mg.c M t/op/taint.t commit 0286dbbe232b42269df3d1b10663cd203ce0916d Author: Father Chrysostomos <[email protected]> Date: Sun Aug 31 13:40:30 2014 -0700 Let taint.t run under miniperl âuse re taint;â doesnât load re.xs, and hasnât for a long time. M t/op/taint.t commit 51e97f47f1f8e3c1e1f0fd85dd66ca850ae5cbdb Author: Father Chrysostomos <[email protected]> Date: Sun Aug 31 13:39:57 2014 -0700 taint.t: Fix skip count M t/op/taint.t commit 9054c817efbd6919e7870e558c4f83bba9607ed5 Author: Father Chrysostomos <[email protected]> Date: Sun Aug 31 13:11:03 2014 -0700 Get â./miniperl -Ilib -Tâ working If the first directory included via -I contains buildcustomize.pl, then miniperl will try to load it at startup. This allows the build process to access all the necessary directories, because buildcustomize.pl fills in @INC. This was not working under taint mode, making it a pain for me to diagnose tainting bugs with miniperl (which builds faster than perl proper, obviously). It failed because buildcustomize.pl is loaded with generated code that does âdo "lib/buildcustomize.pl"â (where âlibâ is taken from -Ilib), but do-file searches @INC, which does not include the current direc- tory under taint mode. The easiest solution here is to add â./â to the beginning of the path. It is unlikely that anyone is using miniperl -I/... (with an absolute path), and miniperl is only supposed to be used for building or devel- oping perl, anyway. M perl.c commit 6fd9f6130d0c4ad34a2ddcf44d887097de5b2847 Author: Father Chrysostomos <[email protected]> Date: Sun Aug 31 12:58:37 2014 -0700 perlsec: Another typo M pod/perlsec.pod commit c6c886efdb6df3d06613743e0e6780de4a145e66 Author: Father Chrysostomos <[email protected]> Date: Sun Aug 31 12:55:22 2014 -0700 perlsec: Typo M pod/perlsec.pod commit 91e649137a555abe48d1527549d88a833b6226a0 Author: Father Chrysostomos <[email protected]> Date: Sun Aug 31 12:55:12 2014 -0700 perlsec: Consistent spaces after dots M pod/perlsec.pod ----------------------------------------------------------------------- Summary of changes: mg.c | 2 +- perl.c | 4 +++- pod/perlsec.pod | 42 ++++++++++++++++++++++-------------------- t/op/taint.t | 13 ++++++++++--- 4 files changed, 36 insertions(+), 25 deletions(-) diff --git a/mg.c b/mg.c index e1fc578..9dc0679 100644 --- a/mg.c +++ b/mg.c @@ -2237,7 +2237,7 @@ Perl_magic_gettaint(pTHX_ SV *sv, MAGIC *mg) PERL_UNUSED_ARG(mg); #endif - TAINT_IF((PL_localizing != 1) && (mg->mg_len & 1)); + TAINT_IF((PL_localizing != 1) && (mg->mg_len & 1) && IN_PERL_RUNTIME); return 0; } diff --git a/perl.c b/perl.c index 8df24db..4af5348 100644 --- a/perl.c +++ b/perl.c @@ -2070,7 +2070,9 @@ S_parse_body(pTHX_ char **env, XSINIT_t xsinit) it should be reported immediately as a build failure. */ (void)Perl_av_create_and_unshift_one(aTHX_ &PL_preambleav, Perl_newSVpvf(aTHX_ - "BEGIN { do {local $!; -f q%c%"SVf"/buildcustomize.pl%c} and do q%c%"SVf"/buildcustomize.pl%c || die $@ }", + "BEGIN { do {local $!; -f q%c./%"SVf + "/buildcustomize.pl%c} and do q%c./%"SVf + "/buildcustomize.pl%c || die $@ }", 0, SVfARG(*inc0), 0, 0, SVfARG(*inc0), 0)); } diff --git a/pod/perlsec.pod b/pod/perlsec.pod index b6474e6..75ce3fd 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -28,9 +28,9 @@ Perl automatically enables a set of special security checks, called I<taint mode>, when it detects its program running with differing real and effective user or group IDs. The setuid bit in Unix permissions is mode 04000, the setgid bit mode 02000; either or both may be set. You can also enable taint -mode explicitly by using the B<-T> command line flag. This flag is +mode explicitly by using the B<-T> command line flag. This flag is I<strongly> suggested for server programs and any program run on behalf of -someone else, such as a CGI script. Once taint mode is on, it's on for +someone else, such as a CGI script. Once taint mode is on, it's on for the remainder of your script. While in this mode, Perl takes special precautions called I<taint @@ -234,9 +234,9 @@ Unix-like environments that support #! and setuid or setgid scripts.) When the taint mode (C<-T>) is in effect, the "." directory is removed from C<@INC>, and the environment variables C<PERL5LIB> and C<PERLLIB> -are ignored by Perl. You can still adjust C<@INC> from outside the +are ignored by Perl. You can still adjust C<@INC> from outside the program by using the C<-I> command line option as explained in -L<perlrun>. The two environment variables are ignored because +L<perlrun>. The two environment variables are ignored because they are obscured, and a user running a program could be unaware that they are set, whereas the C<-I> option is clearly visible and therefore permitted. @@ -247,7 +247,7 @@ the C<lib> pragma, e.g.: perl -Mlib=/foo program The benefit of using C<-Mlib=/foo> over C<-I/foo>, is that the former -will automagically remove any duplicated directories, while the later +will automagically remove any duplicated directories, while the latter will not. Note that if a tainted string is added to C<@INC>, the following @@ -271,7 +271,7 @@ your PATH, it makes sure you set the PATH. The PATH isn't the only environment variable which can cause problems. Because some shells may use the variables IFS, CDPATH, ENV, and BASH_ENV, Perl checks that those are either empty or untainted when -starting subprocesses. You may wish to add something like this to your +starting subprocesses. You may wish to add something like this to your setid and taint-checking scripts. delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer @@ -280,7 +280,8 @@ It's also possible to get into trouble with other operations that don't care whether they use tainted values. Make judicious use of the file tests in dealing with any user-supplied filenames. When possible, do opens and such B<after> properly dropping any special user (or group!) -privileges. Perl doesn't prevent you from opening tainted filenames for reading, +privileges. Perl doesn't prevent you from +opening tainted filenames for reading, so be careful what you print out. The tainting mechanism is intended to prevent stupid mistakes, not to remove the need for thought. @@ -353,7 +354,7 @@ are trapped and namespace access is carefully controlled. Safe should not be considered bullet-proof, though: it will not prevent the foreign code to set up infinite loops, allocate gigabytes of memory, or even abusing perl bugs to make the host interpreter crash or behave in -unpredictable ways. In any case it's better avoided completely if you're +unpredictable ways. In any case it's better avoided completely if you're really concerned about security. =head2 Security Bugs @@ -458,17 +459,17 @@ I<Denial of Service> (DoS) attacks. Hash Algorithm - Hash algorithms like the one used in Perl are well known to be vulnerable to collision attacks on their hash function. Such attacks involve constructing a set of keys which collide into -the same bucket producing inefficient behavior. Such attacks often +the same bucket producing inefficient behavior. Such attacks often depend on discovering the seed of the hash function used to map the -keys to buckets. That seed is then used to brute-force a key set which -can be used to mount a denial of service attack. In Perl 5.8.1 changes +keys to buckets. That seed is then used to brute-force a key set which +can be used to mount a denial of service attack. In Perl 5.8.1 changes were introduced to harden Perl to such attacks, and then later in Perl 5.18.0 these features were enhanced and additional protections added. At the time of this writing, Perl 5.18.0 is considered to be well-hardened against algorithmic complexity attacks on its hash -implementation. This is largely owed to the following measures +implementation. This is largely owed to the following measures mitigate attacks: =over 4 @@ -476,9 +477,9 @@ mitigate attacks: =item Hash Seed Randomization In order to make it impossible to know what seed to generate an attack -key set for, this seed is randomly initialized at process start. This +key set for, this seed is randomly initialized at process start. This may be overridden by using the PERL_HASH_SEED environment variable, see -L<perlrun/PERL_HASH_SEED>. This environment variable controls how +L<perlrun/PERL_HASH_SEED>. This environment variable controls how items are actually stored, not how they are presented via C<keys>, C<values> and C<each>. @@ -489,14 +490,15 @@ C<values>, and C<each> return items in a per-hash randomized order. Modifying a hash by insertion will change the iteration order of that hash. This behavior can be overridden by using C<hash_traversal_mask()> from L<Hash::Util> or by using the PERL_PERTURB_KEYS environment variable, -see L<perlrun/PERL_PERTURB_KEYS>. Note that this feature controls the +see L<perlrun/PERL_PERTURB_KEYS>. Note that this feature controls the "visible" order of the keys, and not the actual order they are stored in. =item Bucket Order Perturbance When items collide into a given hash bucket the order they are stored in -the chain is no longer predictable in Perl 5.18. This has the intention -to make it harder to observe a collisions. This behavior can be overridden by using +the chain is no longer predictable in Perl 5.18. This +has the intention to make it harder to observe a +collision. This behavior can be overridden by using the PERL_PERTURB_KEYS environment variable, see L<perlrun/PERL_PERTURB_KEYS>. =item New Default Hash Function @@ -508,16 +510,16 @@ it harder to infer the hash seed. The source code includes multiple hash algorithms to choose from. While we believe that the default perl hash is robust to attack, we have included the -hash function Siphash as a fall-back option. At the time of release of +hash function Siphash as a fall-back option. At the time of release of Perl 5.18.0 Siphash is believed to be of cryptographic strength. This is not the default as it is much slower than the default hash. =back Without compiling a special Perl, there is no way to get the exact same -behavior of any versions prior to Perl 5.18.0. The closest one can get +behavior of any versions prior to Perl 5.18.0. The closest one can get is by setting PERL_PERTURB_KEYS to 0 and setting the PERL_HASH_SEED -to a known value. We do not advise those settings for production use +to a known value. We do not advise those settings for production use due to the above security considerations. B<Perl has never guaranteed any ordering of the hash keys>, and diff --git a/t/op/taint.t b/t/op/taint.t index 607402c..6ec66ce 100644 --- a/t/op/taint.t +++ b/t/op/taint.t @@ -11,13 +11,12 @@ BEGIN { chdir 't' if -d 't'; @INC = '../lib'; require './test.pl'; - skip_all_if_miniperl("no dynamic loading on miniperl, no re"); } use strict; use Config; -plan tests => 800; +plan tests => 801; $| = 1; @@ -1513,7 +1512,7 @@ SKIP: { } SKIP: { - skip "no Fcntl", 18 unless $has_fcntl; + skip "no Fcntl", 36 unless $has_fcntl; my $foo = tempfile(); my $evil = $foo . $TAINT; @@ -2323,6 +2322,14 @@ $::x = "foo"; $_ = "$TAINT".reset "x"; is eval { eval $::x.1 }, 1, 'reset does not taint undef'; +# [perl #122669] +is runperl( + switches => [ '-T' ], + prog => 'use constant K=>$^X; 0 if K; BEGIN{} use strict; print 122669, qq-\n-', + stderr => 1, + ), "122669\n", + 'tainted constant as logop condition should not prevent "use"'; + # This may bomb out with the alarm signal so keep it last SKIP: { skip "No alarm()" unless $Config{d_alarm}; -- Perl5 Master Repository
