3 # Taint tests by Tom Phoenix <rootbeer@teleport.com>.
5 # I don't claim to know all about tainting. If anyone sees
6 # tests that I've missed here, please add them. But this is
7 # better than having no tests at all, right?
12 @INC = '../lib' if -d '../lib';
18 my $Is_VMS = $^O eq 'VMS';
19 my $Invoke_Perl = $Is_VMS ? 'MCR Sys$Disk:[]Perl.' : './perl';
24 warn "# Note: logical name 'PATH' may have been deleted\n";
25 \$ENV{IFS} = "$ENV{IFS}";
26 \$ENV{'DCL\$PATH'} = "$ENV{'DCL$PATH'}";
32 # The empty tainted value, for tainting strings
33 my $TAINT = substr($^X, 0, 0);
34 # A tainted zero, useful for tainting numbers
35 my $TAINT0 = 0 + $TAINT;
37 # This taints each argument passed. All must be lvalues.
38 # Side effect: It also stringifies them. :-(
40 for (@_) { $_ .= $TAINT }
43 # How to identify taint when you see it
45 not eval { join("",@_), kill 0; 1 };
51 for (@_) { return 0 unless tainted $_ }
56 my($serial, $boolean, $diag) = @_;
60 print "not ok $serial\n";
61 for (split m/^/m, $diag) {
66 or substr($diag, -1) eq "\n";
70 # We need an external program to call.
71 my $ECHO = "./echo$$";
73 open PROG, "> $ECHO" or die "Can't create $ECHO: $!";
74 print PROG 'print "@ARGV\n"', "\n";
76 my $echo = "$Invoke_Perl $ECHO";
80 # First, let's make sure that Perl is checking the dangerous
81 # environment variables. Maybe they aren't set yet, so we'll
82 # taint them ourselves.
84 $ENV{'DCL$PATH'} = '' if $Is_VMS;
88 test 1, eval { `$echo 1` } eq '';
89 test 2, $@ =~ /^Insecure \$ENV{PATH}/, $@;
93 test 3, eval { `$echo 1` } eq '';
94 test 4, $@ =~ /^Insecure \$ENV{IFS}/, $@;
97 if ($^O eq 'os2' || $^O eq 'amigaos') {
98 print "# all directories are writeable\n";
101 $tmp = (grep { defined and -d and (stat _)[2] & 2 }
102 qw(/tmp /var/tmp /usr/tmp /sys$scratch),
103 @ENV{qw(TMP TEMP)})[0]
104 or print "# can't find world-writeable directory to test PATH\n";
110 test 5, eval { `$echo 1` } eq '';
111 test 6, $@ =~ /^Insecure directory in \$ENV{PATH}/, $@;
114 for (5..6) { print "ok $_\n" }
119 test 7, eval { `$echo 1` } eq "1\n";
120 test 8, $@ eq '', $@;
123 $ENV{'DCL$PATH'} = $TAINT;
124 test 9, eval { `$echo 1` } eq '';
125 test 10, $@ =~ /^Insecure \$ENV{DCL\$PATH}/, $@;
127 $ENV{'DCL$PATH'} = $tmp;
128 test 11, eval { `$echo 1` } eq '';
129 test 12, $@ =~ /^Insecure directory in \$ENV{DCL\$PATH}/, $@;
132 print "# can't find world-writeable directory to test DCL\$PATH\n";
133 for (11..12) { print "ok $_\n" }
135 $ENV{'DCL$PATH'} = '';
138 print "# This is not VMS\n";
139 for (9..12) { print "ok $_\n"; }
143 # Let's see that we can taint and untaint as needed.
146 test 13, tainted $foo;
148 # That was a sanity check. If it failed, stop the insanity!
149 die "Taint checks don't seem to be enabled" unless tainted $foo;
152 test 14, not tainted $foo;
155 test 15, tainted $foo;
158 test 16, not any_tainted @list;
159 taint_these @list[1,3,5,7,9];
160 test 17, any_tainted @list;
161 test 18, all_tainted @list[1,3,5,7,9];
162 test 19, not any_tainted @list[0,2,4,6,8];
164 ($foo) = $foo =~ /(.+)/;
165 test 20, not tainted $foo;
167 $foo = $1 if ('bar' . $TAINT) =~ /(.+)/;
168 test 21, not tainted $foo;
169 test 22, $foo eq 'bar';
171 my $pi = 4 * atan2(1,1) + $TAINT0;
172 test 23, tainted $pi;
174 ($pi) = $pi =~ /(\d+\.\d+)/;
175 test 24, not tainted $pi;
176 test 25, sprintf("%.5f", $pi) eq '3.14159';
179 # How about command-line arguments? The problem is that we don't
180 # always get some, so we'll run another process with some.
183 open PROG, "> $arg" or die "Can't create $arg: $!";
185 eval { join('', @ARGV), kill 0 };
186 exit 0 if $@ =~ /^Insecure dependency/;
187 print "# Oops: \$@ was [$@]\n";
191 print `$Invoke_Perl "-T" $arg and some suspect arguments`;
192 test 26, !$?, "Exited with status $?";
196 # Reading from a file should be tainted
199 test 27, open(FILE, $file), "Couldn't open '$file': $!";
202 sysread(FILE, $block, 100);
205 test 28, tainted $block;
206 test 29, tainted $line;
209 # Globs should be tainted.
211 # Some glob implementations need to spawn system programs.
212 local $ENV{PATH} = '';
213 $ENV{PATH} = (-l '/bin' ? '' : '/bin:') . '/usr/bin' unless $Is_VMS;
216 test 30, all_tainted @globs;
219 test 31, all_tainted @globs;
222 # Output of commands should be tainted
224 my $foo = `$echo abc`;
225 test 32, tainted $foo;
228 # Certain system variables should be tainted
230 test 33, all_tainted $^X, $0;
233 # Results of matching should all be untainted
235 my $foo = "abcdefghi" . $TAINT;
236 test 34, tainted $foo;
239 test 35, not any_tainted $`, $&, $';
241 $foo =~ /(...)(...)(...)/;
242 test 36, not any_tainted $1, $2, $3, $+;
244 my @bar = $foo =~ /(...)(...)(...)/;
245 test 37, not any_tainted @bar;
247 test 38, tainted $foo; # $foo should still be tainted!
248 test 39, $foo eq "abcdefghi";
251 # Operations which affect files can't use tainted data.
253 test 40, eval { chmod 0, $TAINT } eq '', 'chmod';
254 test 41, $@ =~ /^Insecure dependency/, $@;
256 # There is no feature test in $Config{} for truncate,
257 # so we allow for the possibility that it's missing.
258 test 42, eval { truncate 'NoSuChFiLe', $TAINT0 } eq '', 'truncate';
259 test 43, $@ =~ /^(?:Insecure dependency|truncate not implemented)/, $@;
261 test 44, eval { rename '', $TAINT } eq '', 'rename';
262 test 45, $@ =~ /^Insecure dependency/, $@;
264 test 46, eval { unlink $TAINT } eq '', 'unlink';
265 test 47, $@ =~ /^Insecure dependency/, $@;
267 test 48, eval { utime $TAINT } eq '', 'utime';
268 test 49, $@ =~ /^Insecure dependency/, $@;
270 if ($Config{d_chown}) {
271 test 50, eval { chown -1, -1, $TAINT } eq '', 'chown';
272 test 51, $@ =~ /^Insecure dependency/, $@;
275 print "# chown() is not available\n";
276 for (50..51) { print "ok $_\n" }
279 if ($Config{d_link}) {
280 test 52, eval { link $TAINT, '' } eq '', 'link';
281 test 53, $@ =~ /^Insecure dependency/, $@;
284 print "# link() is not available\n";
285 for (52..53) { print "ok $_\n" }
288 if ($Config{d_symlink}) {
289 test 54, eval { symlink $TAINT, '' } eq '', 'symlink';
290 test 55, $@ =~ /^Insecure dependency/, $@;
293 print "# symlink() is not available\n";
294 for (54..55) { print "ok $_\n" }
298 # Operations which affect directories can't use tainted data.
300 test 56, eval { mkdir $TAINT0, $TAINT } eq '', 'mkdir';
301 test 57, $@ =~ /^Insecure dependency/, $@;
303 test 58, eval { rmdir $TAINT } eq '', 'rmdir';
304 test 59, $@ =~ /^Insecure dependency/, $@;
306 test 60, eval { chdir $TAINT } eq '', 'chdir';
307 test 61, $@ =~ /^Insecure dependency/, $@;
309 if ($Config{d_chroot}) {
310 test 62, eval { chroot $TAINT } eq '', 'chroot';
311 test 63, $@ =~ /^Insecure dependency/, $@;
314 print "# chroot() is not available\n";
315 for (62..63) { print "ok $_\n" }
319 # Some operations using files can't use tainted data.
321 my $foo = "imaginary library" . $TAINT;
322 test 64, eval { require $foo } eq '', 'require';
323 test 65, $@ =~ /^Insecure dependency/, $@;
325 my $filename = "./taintB$$"; # NB: $filename isn't tainted!
326 END { unlink $filename if defined $filename }
327 $foo = $filename . $TAINT;
328 unlink $filename; # in any case
330 test 66, eval { open FOO, $foo } eq '', 'open for read';
331 test 67, $@ eq '', $@; # NB: This should be allowed
332 test 68, $! == 2; # File not found
334 test 69, eval { open FOO, "> $foo" } eq '', 'open for write';
335 test 70, $@ =~ /^Insecure dependency/, $@;
338 # Commands to the system can't use tainted data
342 if ($^O eq 'amigaos') {
343 print "# open(\"|\") is not available\n";
344 for (71..74) { print "ok $_\n" }
347 test 71, eval { open FOO, "| $foo" } eq '', 'popen to';
348 test 72, $@ =~ /^Insecure dependency/, $@;
350 test 73, eval { open FOO, "$foo |" } eq '', 'popen from';
351 test 74, $@ =~ /^Insecure dependency/, $@;
354 test 75, eval { exec $TAINT } eq '', 'exec';
355 test 76, $@ =~ /^Insecure dependency/, $@;
357 test 77, eval { system $TAINT } eq '', 'system';
358 test 78, $@ =~ /^Insecure dependency/, $@;
363 test 79, eval { `$echo 1$foo` } eq '', 'backticks';
364 test 80, $@ =~ /^Insecure dependency/, $@;
366 if ($Is_VMS) { # wildcard expansion doesn't invoke shell, so is safe
367 test 81, join('', eval { glob $foo } ) ne '', 'globbing';
368 test 82, $@ eq '', $@;
371 test 81, join('', eval { glob $foo } ) eq '', 'globbing';
372 test 82, $@ =~ /^Insecure dependency/, $@;
376 # Operations which affect processes can't use tainted data.
378 test 83, eval { kill 0, $TAINT } eq '', 'kill';
379 test 84, $@ =~ /^Insecure dependency/, $@;
381 if ($Config{d_setpgrp}) {
382 test 85, eval { setpgrp 0, $TAINT } eq '', 'setpgrp';
383 test 86, $@ =~ /^Insecure dependency/, $@;
386 print "# setpgrp() is not available\n";
387 for (85..86) { print "ok $_\n" }
390 if ($Config{d_setprior}) {
391 test 87, eval { setpriority 0, $TAINT, $TAINT } eq '', 'setpriority';
392 test 88, $@ =~ /^Insecure dependency/, $@;
395 print "# setpriority() is not available\n";
396 for (87..88) { print "ok $_\n" }
400 # Some miscellaneous operations can't use tainted data.
402 if ($Config{d_syscall}) {
403 test 89, eval { syscall $TAINT } eq '', 'syscall';
404 test 90, $@ =~ /^Insecure dependency/, $@;
407 print "# syscall() is not available\n";
408 for (89..90) { print "ok $_\n" }
415 my $temp = "./taintC$$";
417 test 91, open(FOO, "> $temp"), "Couldn't open $temp for write: $!";
419 test 92, eval { ioctl FOO, $TAINT, $foo } eq '', 'ioctl';
420 test 93, $@ =~ /^Insecure dependency/, $@;
422 if ($Config{d_fcntl}) {
423 test 94, eval { fcntl FOO, $TAINT, $foo } eq '', 'fcntl';
424 test 95, $@ =~ /^Insecure dependency/, $@;
427 print "# fcntl() is not available\n";
428 for (94..95) { print "ok $_\n" }
435 # Some tests involving references
437 my $foo = 'abc' . $TAINT;
439 test 96, not tainted $fooref;
440 test 97, tainted $$fooref;
441 test 98, tainted $foo;