comment on

In the course of testing a function that manipulated taint, I tried to verify that some data was tainted. From this I noticed something rather odd with taint (or, as Ovid put it, "This is totally screwy."). Taint should affect all data derived from outside the program itself, but I was seeing user-supplied arguments as untainted.

This quick test which should show $match, $two and $ENV{PATH} as tainted:

#!/usr/bin/perl -T
use strict;
use CGI;
use Getopt::Long;

my $match = CGI::param('a');

my $two;
GetOptions('b' => \$two);

print "Running...\nPerl version: $]\nOsname: $^O\nExecutable name: $^X
+\n\n";

my @data = ( 'zot', $match, $two, $ENV{PATH} );
foreach my $data ( @data ) {
    my $result = is_tainted($data)
        ? "$data is tainted\n"
        : "$data is not tainted\n";
    print $result;

    $result = is_tainted_two($data)
        ? "$data is tainted\n"
        : "$data is not tainted\n";
    print $result;
}

# Camel, 2nd edition (p. 358) taint check
sub is_tainted {
    return not eval{
        join("",@_), kill 0;
        1;
    }
}

# Camel, 3rd edition (p. 561) taint check
sub is_tainted_two {
    my $arg = shift;
    my $nada = substr($arg, 0, 0);
    local $@;
    eval {eval "# $nada"};
    return length($@) != 0;
}
[download]

However, when I tested it only $ENV{PATH} was found to be tainted. I tested this on four different computers with two different operating systems and a total of four different perl versions, and that was always the result.

Here is the output (I've left off $ENV{PATH} because it was too long), called with the -b flag:

# version 5.005_03 built for i386-freebsd
# FreeBSD our 4.4-RC FreeBSD 4.4-RC #7: Sun Aug 26 09:54:54 CET 2001 i386 # AND
# FreeBSD ns1 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 i386

(offline mode: enter name=value pairs on standard input)
a=foo
Running...
Perl version: 5.00503
Osname: freebsd
Executable name: /usr/bin/perl

zot is not tainted
zot is not tainted
foo is not tainted
foo is not tainted
1 is not tainted
1 is not tainted

######################################

# v5.7.3 built for i686-linux-64int
# Linux gremlin 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
# For some reason, this one didn't prompt me to enter the CGI arg
# in offline mode.

Running...
Perl version: 5.007003
Osname: linux
Executable name: /root/perl/bin/perl5.7.3

zot is not tainted
zot is not tainted
 is not tainted
 is not tainted
1 is not tainted
1 is not tainted

######################################

# v5.6.0 built for i386-linux
# Linux gremlin 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown

(offline mode: enter name=value pairs on standard input)
a=foo
Running...
Perl version: 5.006
Osname: linux
Executable name: /usr/bin/perl

zot is not tainted
zot is not tainted
foo is not tainted
foo is not tainted
1 is not tainted
1 is not tainted

######################################

# perl5 (revision 5.0 version 6 subversion 1)
# linux funky 2.4.17-0.13smp #1 smp fri feb 1 10:30:48 est 2002 i686 unknown

Running...
Perl version: 5.006001
Osname: linux
Executable name: /usr/bin/perl

zot is not tainted
zot is not tainted
 is not tainted
 is not tainted
1 is not tainted
1 is not tainted

Ovid tested an earlier version of this test program which didn't use Getopt::Long or is_tainted_two (and had another string 'Ovid') and got this result:

D:\cygwin\home\Ovid>perl -T taint.pl a=1
zot is not tainted
1 is tainted
Ovid is not tainted

I was only able to think of a few possible explanations:

I'm using a bad check for taintedness--but I've used two different published methods for checking it,
The taint checks don't behave the way I think they do--but they are described as tests of whether a variable contains tainted data,
The method of deriving the data is at fault--but I've tried two different methods of getting user input,
Taint doesn't behave the way I think it does--but that would still leave a problem because Ovid's output differs from mine,
I've written some test code which has a bug in it I haven't seen (in which case I plan to blame Ovid, since we were tossing this back and forth ;), or
This is a bug in perl--but it would be a very long-standing one to exist in both 5.5.3 and 5.7.3.

I admit to not being very adept with searching the bug database, so the fact that I couldn't find a mention of this is not necessarily meaningful. I would find it hard to believe this could be a perl bug and have existed unnoticed this long.

I am wondering if anyone is able to provide a sensible explanation for what I've noted.

Update: Per a msged suggestion, I turned on warnings to see if there was the 'too late for -T' error, but there were only the expected 'use of unit value' warnings.

In reply to variable I expect to be tainted isn't: possible explanations? by kudra

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


more useful options
	PerlMonks