system and taintedness

Message-ID: <15362.28917.697078.551412@ix.netsoft.ro>

p4raw-id: //depot/perl@13287

diff --git a/pp_sys.c b/pp_sys.c
index 4b9b096..a2d5721 100644 (file)
--- a/pp_sys.c
+++ b/pp_sys.c
@@ -4030,6 +4030,16 @@ PP(pp_system)
         int status;
         Sigsave_t ihand,qhand;     /* place to save signals during system() */
         
+        if (PL_tainting) {
+            SV *cmd = NULL;
+            if (PL_op->op_flags & OPf_STACKED)
+               cmd = *(MARK + 1);
+            else if (SP - MARK != 1)
+               cmd = *SP;
+            if (cmd && *(SvPV_nolen(cmd)) != '/')
+               TAINT_ENV();
+        }
+
         if (PerlProc_pipe(pp) >= 0)
              did_pipes = 1;
         while ((childpid = PerlProc_fork()) == -1) {

diff --git a/t/op/taint.t b/t/op/taint.t
index 29b5839..21cf2fa 100755 (executable)
--- a/t/op/taint.t
+++ b/t/op/taint.t
@@ -123,7 +123,7 @@ print PROG 'print "@ARGV\n"', "\n";
 close PROG;
 my $echo = "$Invoke_Perl $ECHO";
 
-print "1..182\n";
+print "1..183\n";
 
 # First, let's make sure that Perl is checking the dangerous
 # environment variables. Maybe they aren't set yet, so we'll
@@ -918,3 +918,11 @@ ok( $@ =~ /^Modification of a read-only value attempted/,
     my $re3 = "$re2";
     test 182, tainted $re3;
 }
+
+
+{
+    # bug 20010221.005
+    local $ENV{PATH} .= $TAINT;
+    eval { system { "echo" } "/arg0", "arg1" };
+    test 183, $@ =~ /^Insecure \$ENV/;
+}