kudra wrote: I'm still not convinced it should be leaving them untainted rather than explicitly retainting them, but at least now I know why this is happening.
I think you're right. These variables should be left tainted. The following hack will leave them tainted.
sub shellwords {
package shellwords;
local($_) = join('', @_) if @_;
my $tainted = substr $_,0,0 if defined; # give me an tainted empty
+ string
local(@words,$snippet,$field);
s/^\s+//;
while ($_ ne '') {
$field = '';
for (;;) {
if (s/^"(([^"\\]|\\.)*)"//) {
($snippet = $1) =~ s#\\(.)#$1#g;
}
elsif (/^"/) {
die "Unmatched double quote: $_\n";
}
elsif (s/^'(([^'\\]|\\.)*)'//) {
($snippet = $1) =~ s#\\(.)#$1#g;
}
elsif (/^'/) {
die "Unmatched single quote: $_\n";
}
elsif (s/^\\(.)//) {
$snippet = $1;
}
elsif (s/^([^\s\\'"]+)//) {
$snippet = $1;
}
else {
s/^\s+//;
last;
}
$field .= $snippet;
}
push(@words, $field);
}
# this loop will retaint the variables
foreach ( @words ) {
$_ .= $tainted if defined;
}
@words;
}
The only problem with this is that if something calls shellwords.pl with several variables, but only one is tainted, then *all* returned variables will be tainted. Is this a problem? I shouldn't think so, but I'm not sure. Also, who the heck would I submit this to? There's no name in the script and it looks like it's part of the standard distribution.
Update: chromatic suggested that it could be submitted to Perl 5 Porters. Will do.
Update 2: Benjamin Goldberg replied that my goal was good, but suggested using the 're' pragma. I resubmitted the patch to p5p as follows:
--- shellwords.pl.orig Tue May 21 10:04:07 2002
+++ shellwords.pl Tue May 21 11:12:45 2002
@@ -17,6 +17,7 @@
while ($_ ne '') {
$field = '';
for (;;) {
+ use re 'taint'; # leave strings tainted
if (s/^"(([^"\\]|\\.)*)"//) {
($snippet = $1) =~ s#\\(.)#$1#g;
}
Cheers,
Ovid
Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
Outside of code tags, you may need to use entities for some characters:
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.
|
|
