From: Jarkko Hietaniemi Date: Sun, 20 May 2001 20:33:08 +0000 (+0000) Subject: Fix for ID 20010519.003: sysopen() wasn't tainting :-( X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=b94c04ac6df92c9dfee67602a1c95e58aa18b7fa;p=p5sagit%2Fp5-mst-13.2.git Fix for ID 20010519.003: sysopen() wasn't tainting :-( p4raw-id: //depot/perl@10172 --- diff --git a/doio.c b/doio.c index fd40ae0..87e5901 100644 --- a/doio.c +++ b/doio.c @@ -141,12 +141,14 @@ Perl_do_openn(pTHX_ GV *gv, register char *name, I32 len, int as_raw, /* sysopen style args, i.e. integer mode and permissions */ STRLEN ix = 0; if (num_svs != 0) { - Perl_croak(aTHX_ "panic:sysopen with multiple args"); + Perl_croak(aTHX_ "panic: sysopen with multiple args"); } + if (rawmode & (O_WRONLY|O_RDWR|O_APPEND|O_CREAT|O_TRUNC)) + TAINT_PROPER("sysopen"); mode[ix++] = '#'; /* Marker to openn to use numeric "sysopen" */ #if defined(USE_64_BIT_RAWIO) && defined(O_LARGEFILE) - rawmode |= O_LARGEFILE; + rawmode |= O_LARGEFILE; /* Transparently largefiley. */ #endif #ifndef O_ACCMODE @@ -193,7 +195,7 @@ Perl_do_openn(pTHX_ GV *gv, register char *name, I32 len, int as_raw, num_svs = 1; svp = &namesv; type = Nullch; - fp = PerlIO_openn(aTHX_ type,mode, -1, rawmode, rawperm, NULL, num_svs, svp); + fp = PerlIO_openn(aTHX_ type, mode, -1, rawmode, rawperm, NULL, num_svs, svp); } else { /* Regular (non-sys) open */ diff --git a/t/op/taint.t b/t/op/taint.t index 8ff566e..737c2ea 100755 --- a/t/op/taint.t +++ b/t/op/taint.t @@ -106,7 +106,7 @@ print PROG 'print "@ARGV\n"', "\n"; close PROG; my $echo = "$Invoke_Perl $ECHO"; -print "1..155\n"; +print "1..173\n"; # First, let's make sure that Perl is checking the dangerous # environment variables. Maybe they aren't set yet, so we'll @@ -735,3 +735,67 @@ else { close IN; } +{ + # bug id 20010519.003 + + use Fcntl; + + my $evil = "foo" . $TAINT; + + eval { sysopen(my $ro, $evil, O_RDONLY) }; + test 156, $@ !~ /^Insecure dependency/, $@; + + eval { sysopen(my $wo, $evil, O_WRONLY) }; + test 157, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $rw, $evil, O_RDWR) }; + test 158, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $ap, $evil, O_APPEND) }; + test 159, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $cr, $evil, O_CREAT) }; + test 160, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $tr, $evil, O_TRUNC) }; + test 161, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $ro, "foo", O_RDONLY | $evil) }; + test 162, $@ !~ /^Insecure dependency/, $@; + + eval { sysopen(my $wo, "foo", O_WRONLY | $evil) }; + test 163, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $rw, "foo", O_RDWR | $evil) }; + test 164, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $ap, "foo", O_APPEND | $evil) }; + test 165, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $cr, "foo", O_CREAT | $evil) }; + test 166, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $tr, "foo", O_TRUNC | $evil) }; + test 167, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $ro, "foo", O_RDONLY, $evil) }; + test 168, $@ !~ /^Insecure dependency/, $@; + + eval { sysopen(my $wo, "foo", O_WRONLY, $evil) }; + test 169, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $rw, "foo", O_RDWR, $evil) }; + test 170, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $ap, "foo", O_APPEND, $evil) }; + test 171, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $cr, "foo", O_CREAT, $evil) }; + test 172, $@ =~ /^Insecure dependency/, $@; + + eval { sysopen(my $tr, "foo", O_TRUNC, $evil) }; + test 173, $@ =~ /^Insecure dependency/, $@; + + unlink("foo"); # not unlink($evil), because that would fail... +} +