3 # Taint tests by Tom Phoenix <rootbeer@teleport.com>.
5 # I don't claim to know all about tainting. If anyone sees
6 # tests that I've missed here, please add them. But this is
7 # better than having no tests at all, right?
20 # We do not want the whole taint.t to fail
21 # just because Errno possibly failing.
22 eval { require Errno; import Errno };
24 use vars qw($ipcsysv); # did we manage to load IPC::SysV?
27 if ($^O eq 'VMS' && !defined($Config{d_setenv})) {
28 $ENV{PATH} = $ENV{PATH};
29 $ENV{TERM} = $ENV{TERM} ne ''? $ENV{TERM} : 'dummy';
31 if ($Config{'extensions'} =~ /\bIPC\/SysV\b/
32 && ($Config{d_shm} || $Config{d_msg})) {
33 eval { require IPC::SysV };
36 IPC::SysV->import(qw(IPC_PRIVATE IPC_RMID IPC_CREAT S_IRWXU));
41 my $Is_VMS = $^O eq 'VMS';
42 my $Is_MSWin32 = $^O eq 'MSWin32';
43 my $Is_NetWare = $^O eq 'NetWare';
44 my $Is_Dos = $^O eq 'dos';
45 my $Invoke_Perl = $Is_VMS ? 'MCR Sys$Disk:[]Perl.' :
46 ($Is_MSWin32 ? '.\perl' :
47 ($Is_NetWare ? 'perl' : './perl'));
48 my @MoreEnv = qw/IFS CDPATH ENV BASH_ENV/;
52 for $x ('DCL$PATH', @MoreEnv) {
53 ($old{$x}) = $ENV{$x} =~ /^(.*)$/ if exists $ENV{$x};
57 \$ENV{PATH} = '' if $Config{d_setenv};
58 warn "# Note: logical name 'PATH' may have been deleted\n";
59 \@ENV{keys %old} = values %old;
65 # The empty tainted value, for tainting strings
66 my $TAINT = substr($^X, 0, 0);
67 # A tainted zero, useful for tainting numbers
68 my $TAINT0 = 0 + $TAINT;
70 # This taints each argument passed. All must be lvalues.
71 # Side effect: It also stringifies them. :-(
73 for (@_) { $_ .= $TAINT }
76 # How to identify taint when you see it
78 not eval { join("",@_), kill 0; 1 };
84 for (@_) { return 0 unless tainted $_ }
89 my($serial, $boolean, $diag) = @_;
93 print "not ok $serial\n";
94 for (split m/^/m, $diag) {
99 or substr($diag, -1) eq "\n";
103 # We need an external program to call.
104 my $ECHO = ($Is_MSWin32 ? ".\\echo$$" : ($Is_NetWare ? "echo$$" : "./echo$$"));
106 open PROG, "> $ECHO" or die "Can't create $ECHO: $!";
107 print PROG 'print "@ARGV\n"', "\n";
109 my $echo = "$Invoke_Perl $ECHO";
113 # First, let's make sure that Perl is checking the dangerous
114 # environment variables. Maybe they aren't set yet, so we'll
115 # taint them ourselves.
117 $ENV{'DCL$PATH'} = '' if $Is_VMS;
120 delete @ENV{@MoreEnv};
123 test 1, eval { `$echo 1` } eq "1\n";
125 if ($Is_MSWin32 || $Is_NetWare || $Is_VMS || $Is_Dos) {
126 print "# Environment tainting tests skipped\n";
127 for (2..5) { print "ok $_\n" }
130 my @vars = ('PATH', @MoreEnv);
131 while (my $v = $vars[0]) {
132 local $ENV{$v} = $TAINT;
133 last if eval { `$echo 1` };
134 last unless $@ =~ /^Insecure \$ENV{$v}/;
137 test 2, !@vars, "\$$vars[0]";
139 # tainted $TERM is unsafe only if it contains metachars
141 $ENV{TERM} = 'e=mc2';
142 test 3, eval { `$echo 1` } eq "1\n";
143 $ENV{TERM} = 'e=mc2' . $TAINT;
144 test 4, eval { `$echo 1` } eq '';
145 test 5, $@ =~ /^Insecure \$ENV{TERM}/, $@;
149 if ($^O eq 'os2' || $^O eq 'amigaos' || $Is_MSWin32 || $Is_NetWare || $Is_Dos) {
150 print "# all directories are writeable\n";
153 $tmp = (grep { defined and -d and (stat _)[2] & 2 }
154 qw(sys$scratch /tmp /var/tmp /usr/tmp),
155 @ENV{qw(TMP TEMP)})[0]
156 or print "# can't find world-writeable directory to test PATH\n";
160 local $ENV{PATH} = $tmp;
161 test 6, eval { `$echo 1` } eq '';
162 test 7, $@ =~ /^Insecure directory in \$ENV{PATH}/, $@;
165 for (6..7) { print "ok $_ # Skipped: all directories are writeable\n" }
169 $ENV{'DCL$PATH'} = $TAINT;
170 test 8, eval { `$echo 1` } eq '';
171 test 9, $@ =~ /^Insecure \$ENV{DCL\$PATH}/, $@;
173 $ENV{'DCL$PATH'} = $tmp;
174 test 10, eval { `$echo 1` } eq '';
175 test 11, $@ =~ /^Insecure directory in \$ENV{DCL\$PATH}/, $@;
178 for (10..11) { print "ok $_ # Skipped: can't find world-writeable directory to test DCL\$PATH\n" }
180 $ENV{'DCL$PATH'} = '';
183 for (8..11) { print "ok $_ # Skipped: This is not VMS\n"; }
187 # Let's see that we can taint and untaint as needed.
190 test 12, tainted $foo;
192 # That was a sanity check. If it failed, stop the insanity!
193 die "Taint checks don't seem to be enabled" unless tainted $foo;
196 test 13, not tainted $foo;
199 test 14, tainted $foo;
202 test 15, not any_tainted @list;
203 taint_these @list[1,3,5,7,9];
204 test 16, any_tainted @list;
205 test 17, all_tainted @list[1,3,5,7,9];
206 test 18, not any_tainted @list[0,2,4,6,8];
208 ($foo) = $foo =~ /(.+)/;
209 test 19, not tainted $foo;
211 $foo = $1 if ('bar' . $TAINT) =~ /(.+)/;
212 test 20, not tainted $foo;
213 test 21, $foo eq 'bar';
218 ($foo) = ('bar' . $TAINT) =~ /(.+)/;
219 test 22, tainted $foo;
220 test 23, $foo eq 'bar';
222 $foo = $1 if ('bar' . $TAINT) =~ /(.+)/;
223 test 24, tainted $foo;
224 test 25, $foo eq 'bar';
227 $foo = $1 if 'bar' =~ /(.+)$TAINT/;
228 test 26, tainted $foo;
229 test 27, $foo eq 'bar';
231 my $pi = 4 * atan2(1,1) + $TAINT0;
232 test 28, tainted $pi;
234 ($pi) = $pi =~ /(\d+\.\d+)/;
235 test 29, not tainted $pi;
236 test 30, sprintf("%.5f", $pi) eq '3.14159';
239 # How about command-line arguments? The problem is that we don't
240 # always get some, so we'll run another process with some.
243 open PROG, "> $arg" or die "Can't create $arg: $!";
245 eval { join('', @ARGV), kill 0 };
246 exit 0 if $@ =~ /^Insecure dependency/;
247 print "# Oops: \$@ was [$@]\n";
251 print `$Invoke_Perl "-T" $arg and some suspect arguments`;
252 test 31, !$?, "Exited with status $?";
256 # Reading from a file should be tainted
259 test 32, open(FILE, $file), "Couldn't open '$file': $!";
262 sysread(FILE, $block, 100);
265 test 33, tainted $block;
266 test 34, tainted $line;
269 # Globs should be forbidden, except under VMS,
270 # which doesn't spawn an external program.
271 if (1 # built-in glob
273 for (35..36) { print "ok $_\n"; }
276 my @globs = eval { <*> };
277 test 35, @globs == 0 && $@ =~ /^Insecure dependency/;
279 @globs = eval { glob '*' };
280 test 36, @globs == 0 && $@ =~ /^Insecure dependency/;
283 # Output of commands should be tainted
285 my $foo = `$echo abc`;
286 test 37, tainted $foo;
289 # Certain system variables should be tainted
291 test 38, all_tainted $^X, $0;
294 # Results of matching should all be untainted
296 my $foo = "abcdefghi" . $TAINT;
297 test 39, tainted $foo;
300 test 40, not any_tainted $`, $&, $';
302 $foo =~ /(...)(...)(...)/;
303 test 41, not any_tainted $1, $2, $3, $+;
305 my @bar = $foo =~ /(...)(...)(...)/;
306 test 42, not any_tainted @bar;
308 test 43, tainted $foo; # $foo should still be tainted!
309 test 44, $foo eq "abcdefghi";
312 # Operations which affect files can't use tainted data.
314 test 45, eval { chmod 0, $TAINT } eq '', 'chmod';
315 test 46, $@ =~ /^Insecure dependency/, $@;
317 # There is no feature test in $Config{} for truncate,
318 # so we allow for the possibility that it's missing.
319 test 47, eval { truncate 'NoSuChFiLe', $TAINT0 } eq '', 'truncate';
320 test 48, $@ =~ /^(?:Insecure dependency|truncate not implemented)/, $@;
322 test 49, eval { rename '', $TAINT } eq '', 'rename';
323 test 50, $@ =~ /^Insecure dependency/, $@;
325 test 51, eval { unlink $TAINT } eq '', 'unlink';
326 test 52, $@ =~ /^Insecure dependency/, $@;
328 test 53, eval { utime $TAINT } eq '', 'utime';
329 test 54, $@ =~ /^Insecure dependency/, $@;
331 if ($Config{d_chown}) {
332 test 55, eval { chown -1, -1, $TAINT } eq '', 'chown';
333 test 56, $@ =~ /^Insecure dependency/, $@;
336 for (55..56) { print "ok $_ # Skipped: chown() is not available\n" }
339 if ($Config{d_link}) {
340 test 57, eval { link $TAINT, '' } eq '', 'link';
341 test 58, $@ =~ /^Insecure dependency/, $@;
344 for (57..58) { print "ok $_ # Skipped: link() is not available\n" }
347 if ($Config{d_symlink}) {
348 test 59, eval { symlink $TAINT, '' } eq '', 'symlink';
349 test 60, $@ =~ /^Insecure dependency/, $@;
352 for (59..60) { print "ok $_ # Skipped: symlink() is not available\n" }
356 # Operations which affect directories can't use tainted data.
358 test 61, eval { mkdir $TAINT0, $TAINT } eq '', 'mkdir';
359 test 62, $@ =~ /^Insecure dependency/, $@;
361 test 63, eval { rmdir $TAINT } eq '', 'rmdir';
362 test 64, $@ =~ /^Insecure dependency/, $@;
364 test 65, eval { chdir $TAINT } eq '', 'chdir';
365 test 66, $@ =~ /^Insecure dependency/, $@;
367 if ($Config{d_chroot}) {
368 test 67, eval { chroot $TAINT } eq '', 'chroot';
369 test 68, $@ =~ /^Insecure dependency/, $@;
372 for (67..68) { print "ok $_ # Skipped: chroot() is not available\n" }
376 # Some operations using files can't use tainted data.
378 my $foo = "imaginary library" . $TAINT;
379 test 69, eval { require $foo } eq '', 'require';
380 test 70, $@ =~ /^Insecure dependency/, $@;
382 my $filename = "./taintB$$"; # NB: $filename isn't tainted!
383 END { unlink $filename if defined $filename }
384 $foo = $filename . $TAINT;
385 unlink $filename; # in any case
387 test 71, eval { open FOO, $foo } eq '', 'open for read';
388 test 72, $@ eq '', $@; # NB: This should be allowed
390 # Try first new style but allow also old style.
391 test 73, $!{ENOENT} ||
392 $! == 2 || # File not found
393 ($Is_Dos && $! == 22) ||
394 ($^O eq 'mint' && $! == 33);
396 test 74, eval { open FOO, "> $foo" } eq '', 'open for write';
397 test 75, $@ =~ /^Insecure dependency/, $@;
400 # Commands to the system can't use tainted data
404 if ($^O eq 'amigaos') {
405 for (76..79) { print "ok $_ # Skipped: open('|') is not available\n" }
408 test 76, eval { open FOO, "| x$foo" } eq '', 'popen to';
409 test 77, $@ =~ /^Insecure dependency/, $@;
411 test 78, eval { open FOO, "x$foo |" } eq '', 'popen from';
412 test 79, $@ =~ /^Insecure dependency/, $@;
415 test 80, eval { exec $TAINT } eq '', 'exec';
416 test 81, $@ =~ /^Insecure dependency/, $@;
418 test 82, eval { system $TAINT } eq '', 'system';
419 test 83, $@ =~ /^Insecure dependency/, $@;
424 test 84, eval { `$echo 1$foo` } eq '', 'backticks';
425 test 85, $@ =~ /^Insecure dependency/, $@;
427 if ($Is_VMS) { # wildcard expansion doesn't invoke shell, so is safe
428 test 86, join('', eval { glob $foo } ) ne '', 'globbing';
429 test 87, $@ eq '', $@;
432 for (86..87) { print "ok $_ # Skipped: this is not VMS\n"; }
436 # Operations which affect processes can't use tainted data.
438 test 88, eval { kill 0, $TAINT } eq '', 'kill';
439 test 89, $@ =~ /^Insecure dependency/, $@;
441 if ($Config{d_setpgrp}) {
442 test 90, eval { setpgrp 0, $TAINT } eq '', 'setpgrp';
443 test 91, $@ =~ /^Insecure dependency/, $@;
446 for (90..91) { print "ok $_ # Skipped: setpgrp() is not available\n" }
449 if ($Config{d_setprior}) {
450 test 92, eval { setpriority 0, $TAINT, $TAINT } eq '', 'setpriority';
451 test 93, $@ =~ /^Insecure dependency/, $@;
454 for (92..93) { print "ok $_ # Skipped: setpriority() is not available\n" }
458 # Some miscellaneous operations can't use tainted data.
460 if ($Config{d_syscall}) {
461 test 94, eval { syscall $TAINT } eq '', 'syscall';
462 test 95, $@ =~ /^Insecure dependency/, $@;
465 for (94..95) { print "ok $_ # Skipped: syscall() is not available\n" }
472 my $temp = "./taintC$$";
474 test 96, open(FOO, "> $temp"), "Couldn't open $temp for write: $!";
476 test 97, eval { ioctl FOO, $TAINT, $foo } eq '', 'ioctl';
477 test 98, $@ =~ /^Insecure dependency/, $@;
479 if ($Config{d_fcntl}) {
480 test 99, eval { fcntl FOO, $TAINT, $foo } eq '', 'fcntl';
481 test 100, $@ =~ /^Insecure dependency/, $@;
484 for (99..100) { print "ok $_ # Skipped: fcntl() is not available\n" }
491 # Some tests involving references
493 my $foo = 'abc' . $TAINT;
495 test 101, not tainted $fooref;
496 test 102, tainted $$fooref;
497 test 103, tainted $foo;
500 # Some tests involving assignment
504 test 104, all_tainted $foo, $bar;
505 test 105, tainted($foo = $bar);
506 test 106, tainted($bar = $bar);
507 test 107, tainted($bar += $bar);
508 test 108, tainted($bar -= $bar);
509 test 109, tainted($bar *= $bar);
510 test 110, tainted($bar++);
511 test 111, tainted($bar /= $bar);
512 test 112, tainted($bar += 0);
513 test 113, tainted($bar -= 2);
514 test 114, tainted($bar *= -1);
515 test 115, tainted($bar /= 1);
516 test 116, tainted($bar--);
520 # Test assignment and return of lists
522 my @foo = ("A", "tainted" . $TAINT, "B");
523 test 118, not tainted $foo[0];
524 test 119, tainted $foo[1];
525 test 120, not tainted $foo[2];
527 test 121, not tainted $bar[0];
528 test 122, tainted $bar[1];
529 test 123, not tainted $bar[2];
530 my @baz = eval { "A", "tainted" . $TAINT, "B" };
531 test 124, not tainted $baz[0];
532 test 125, tainted $baz[1];
533 test 126, not tainted $baz[2];
534 my @plugh = eval q[ "A", "tainted" . $TAINT, "B" ];
535 test 127, not tainted $plugh[0];
536 test 128, tainted $plugh[1];
537 test 129, not tainted $plugh[2];
538 my $nautilus = sub { "A", "tainted" . $TAINT, "B" };
539 test 130, not tainted ((&$nautilus)[0]);
540 test 131, tainted ((&$nautilus)[1]);
541 test 132, not tainted ((&$nautilus)[2]);
542 my @xyzzy = &$nautilus;
543 test 133, not tainted $xyzzy[0];
544 test 134, tainted $xyzzy[1];
545 test 135, not tainted $xyzzy[2];
546 my $red_october = sub { return "A", "tainted" . $TAINT, "B" };
547 test 136, not tainted ((&$red_october)[0]);
548 test 137, tainted ((&$red_october)[1]);
549 test 138, not tainted ((&$red_october)[2]);
550 my @corge = &$red_october;
551 test 139, not tainted $corge[0];
552 test 140, tainted $corge[1];
553 test 141, not tainted $corge[2];
556 # Test for system/library calls returning string data of dubious origin.
558 # No reliable %Config check for getpw*
559 if (eval { setpwent(); getpwent(); 1 }) {
561 my @getpwent = getpwent();
562 die "getpwent: $!\n" unless (@getpwent);
563 test 142,( not tainted $getpwent[0]
564 and tainted $getpwent[1]
565 and not tainted $getpwent[2]
566 and not tainted $getpwent[3]
567 and not tainted $getpwent[4]
568 and not tainted $getpwent[5]
569 and tainted $getpwent[6] # ge?cos
570 and not tainted $getpwent[7]
571 and tainted $getpwent[8]); # shell
574 for (142) { print "ok $_ # Skipped: getpwent() is not available\n" }
577 if ($Config{d_readdir}) { # pretty hard to imagine not
579 opendir(D, "op") or die "opendir: $!\n";
580 my $readdir = readdir(D);
581 test 143, tainted $readdir;
584 for (143) { print "ok $_ # Skipped: readdir() is not available\n" }
587 if ($Config{d_readlink} && $Config{d_symlink}) {
588 my $symlink = "sl$$";
590 symlink("/something/naughty", $symlink) or die "symlink: $!\n";
591 my $readlink = readlink($symlink);
592 test 144, tainted $readlink;
595 for (144) { print "ok $_ # Skipped: readlink() or symlink() is not available\n"; }
599 # test bitwise ops (regression bug)
603 test 145, not tainted $j;
606 test 146, tainted $j;
609 # test target of substitution (regression bug)
611 my $why = $TAINT."y";
613 test 147, tainted $why;
617 test 148, tainted $why;
619 $why =~ s/e/'-'.$$/ge;
620 test 149, tainted $why;
626 print "ok 150 # skipped: no IPC::SysV\n";
629 if ($Config{'extensions'} =~ /\bIPC\/SysV\b/ && $Config{d_shm}) {
634 my $id = shmget(IPC_PRIVATE, $size, S_IRWXU);
637 if (shmwrite($id, $sent, 0, 60)) {
638 if (shmread($id, $rcvd, 0, 60)) {
639 substr($rcvd, index($rcvd, "\0")) = '';
641 warn "# shmread failed: $!\n";
644 warn "# shmwrite failed: $!\n";
646 shmctl($id, IPC_RMID, 0) or warn "# shmctl failed: $!\n";
648 warn "# shmget failed: $!\n";
651 if ($rcvd eq $sent) {
652 test 150, tainted $rcvd;
654 print "ok 150 # Skipped: SysV shared memory operation failed\n";
657 print "ok 150 # Skipped: SysV shared memory is not available\n";
664 print "ok 151 # skipped: no IPC::SysV\n";
667 if ($Config{'extensions'} =~ /\bIPC\/SysV\b/ && $Config{d_msg}) {
669 my $id = msgget(IPC_PRIVATE, IPC_CREAT | S_IRWXU);
671 my $sent = "message";
672 my $type_sent = 1234;
677 if (msgsnd($id, pack("l! a*", $type_sent, $sent), 0)) {
678 if (msgrcv($id, $rcvd, 60, 0, 0)) {
679 ($type_rcvd, $rcvd) = unpack("l! a*", $rcvd);
681 warn "# msgrcv failed\n";
684 warn "# msgsnd failed\n";
686 msgctl($id, IPC_RMID, 0) or warn "# msgctl failed: $!\n";
688 warn "# msgget failed\n";
691 if ($rcvd eq $sent && $type_sent == $type_rcvd) {
692 test 151, tainted $rcvd;
694 print "ok 151 # Skipped: SysV message queue operation failed\n";
697 print "ok 151 # Skipped: SysV message queues are not available\n";
702 # bug id 20001004.006
704 open IN, "./TEST" or warn "$0: cannot read ./TEST: $!" ;
708 print "not " unless tainted($a) && tainted($b) && !defined($b);
714 # bug id 20001004.007
716 open IN, "./TEST" or warn "$0: cannot read ./TEST: $!" ;
721 print "not " unless !tainted($c->{a}) && tainted($c->{b});
726 print "not " unless tainted($d->{a}) && !tainted($d->{b});
730 b => { c => $a, d => 42 } };
731 print "not " unless !tainted($e->{a}) &&
733 tainted($e->{b}->{c}) &&
734 !tainted($e->{b}->{d});
741 # bug id 20010519.003
744 use vars qw($has_fcntl);
745 eval { require Fcntl; import Fcntl; };
751 unless ($has_fcntl) {
753 print "ok $_ # Skip: no Fcntl (no dynaloading?)\n";
756 my $evil = "foo" . $TAINT;
758 eval { sysopen(my $ro, $evil, &O_RDONLY) };
759 test 156, $@ !~ /^Insecure dependency/, $@;
761 eval { sysopen(my $wo, $evil, &O_WRONLY) };
762 test 157, $@ =~ /^Insecure dependency/, $@;
764 eval { sysopen(my $rw, $evil, &O_RDWR) };
765 test 158, $@ =~ /^Insecure dependency/, $@;
767 eval { sysopen(my $ap, $evil, &O_APPEND) };
768 test 159, $@ =~ /^Insecure dependency/, $@;
770 eval { sysopen(my $cr, $evil, &O_CREAT) };
771 test 160, $@ =~ /^Insecure dependency/, $@;
773 eval { sysopen(my $tr, $evil, &O_TRUNC) };
774 test 161, $@ =~ /^Insecure dependency/, $@;
776 eval { sysopen(my $ro, "foo", &O_RDONLY | $evil) };
777 test 162, $@ !~ /^Insecure dependency/, $@;
779 eval { sysopen(my $wo, "foo", &O_WRONLY | $evil) };
780 test 163, $@ =~ /^Insecure dependency/, $@;
782 eval { sysopen(my $rw, "foo", &O_RDWR | $evil) };
783 test 164, $@ =~ /^Insecure dependency/, $@;
785 eval { sysopen(my $ap, "foo", &O_APPEND | $evil) };
786 test 165, $@ =~ /^Insecure dependency/, $@;
788 eval { sysopen(my $cr, "foo", &O_CREAT | $evil) };
789 test 166, $@ =~ /^Insecure dependency/, $@;
791 eval { sysopen(my $tr, "foo", &O_TRUNC | $evil) };
792 test 167, $@ =~ /^Insecure dependency/, $@;
794 eval { sysopen(my $ro, "foo", &O_RDONLY, $evil) };
795 test 168, $@ !~ /^Insecure dependency/, $@;
797 eval { sysopen(my $wo, "foo", &O_WRONLY, $evil) };
798 test 169, $@ =~ /^Insecure dependency/, $@;
800 eval { sysopen(my $rw, "foo", &O_RDWR, $evil) };
801 test 170, $@ =~ /^Insecure dependency/, $@;
803 eval { sysopen(my $ap, "foo", &O_APPEND, $evil) };
804 test 171, $@ =~ /^Insecure dependency/, $@;
806 eval { sysopen(my $cr, "foo", &O_CREAT, $evil) };
807 test 172, $@ =~ /^Insecure dependency/, $@;
809 eval { sysopen(my $tr, "foo", &O_TRUNC, $evil) };
810 test 173, $@ =~ /^Insecure dependency/, $@;
812 unlink("foo"); # not unlink($evil), because that would fail...
821 $SIG{__WARN__} = sub { print "not " };
824 my $divnum = shift()/1;
825 sprintf("%1.1f\n", $divnum);
projects / p5sagit/p5-mst-13.2.git / blob