Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

[perl #27344] pos() does not get updated when running in taint mode

0 views

Skip to first unread message

perlbug-...@perl.org

unread,

Mar 3, 2004, 5:13:17 AM3/3/04

to bugs-bi...@netlabs.develooper.com

# New Ticket Created by fa...@noris.net
# Please include the string: [perl #27344]
# in the subject line of all future correspondence about this issue.
# <URL: http://rt.perl.org:80/rt3/Ticket/Display.html?id=27344 >

This is a bug report for perl from fa...@noris.net,
generated with the help of perlbug 1.34 running under perl v5.8.3.

-----------------------------------------------------------------
[Please enter your report here]

I discovered that the pos() of a string does not get updated
under some conditions when running in taint mode.

This can be reproduced as follows:

| $ echo foo | perl -le '$a = <>; a($a); sub a { $_[0] =~ m/\G./g; print pos $a }'
| 1
| $ echo foo | perl -le '$a = <>; a($a); sub a { $_[0] =~ m/\G./g; print pos $a }' -T
|

I discovered the bug, because Text::Wrapper got into an endless
loop when running in taint mode.

I could reproduce it with various perl versions (5.005_03, 5.6.1
and 5.8.3) on different linux systems (RedHat 6.1 and 7.1, SuSE
9.0).

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
category=core
severity=medium
---
Site configuration information for perl v5.8.3:

Configured by fany at Mon Jan 19 12:59:51 CET 2004.

Summary of my perl5 (revision 5.0 version 8 subversion 3) configuration:
Platform:
osname=linux, osvers=2.4.21-99-default, archname=i686-linux-64int-ld
uname='linux fany 2.4.21-99-default #1 wed sep 24 13:30:51 utc 2003 i686 athlon i386 gnulinux '
config_args=''
hint=recommended, useposix=true, d_sigaction=define
usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
use64bitint=define use64bitall=undef uselongdouble=define
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-O3 -march=athlon-xp',
cppflags='-fno-strict-aliasing -I/usr/local/include'
ccversion='', gccversion='3.3.1 (SuSE Linux)', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib
libs=-lnsl -ldb -ldl -lm -lcrypt -lutil -lc
perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
libc=, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.3.2'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:

---
@INC for perl v5.8.3:
/usr/local/lib/perl5/5.8.3/i686-linux-64int-ld
/usr/local/lib/perl5/5.8.3
/usr/local/lib/perl5/site_perl/5.8.3/i686-linux-64int-ld
/usr/local/lib/perl5/site_perl/5.8.3
/usr/local/lib/perl5/site_perl
.

---
Environment for perl v5.8.3:
HOME=/home/fany
LANG=de_DE@euro
LANGUAGE (unset)
LC_COLLATE=POSIX
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/fany/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin:/opt/kde3/bin:/usr/openwin/bin:/usr/lib/java/bin
PERL_BADLANG (unset)
SHELL=/bin/bash

Dave Mitchell

unread,

Mar 24, 2004, 7:27:29 PM3/24/04

to perl5-...@perl.org

On Wed, Mar 03, 2004 at 10:13:17AM -0000, fa...@noris.net (via RT) wrote:
> I discovered that the pos() of a string does not get updated
> under some conditions when running in taint mode.
>
> This can be reproduced as follows:
>
> | $ echo foo | perl -le '$a = <>; a($a); sub a { $_[0] =~ m/\G./g; print pos $a }'
> | 1
> | $ echo foo | perl -le '$a = <>; a($a); sub a { $_[0] =~ m/\G./g; print pos $a }' -T
> |

Thanks for the report.

P5Pers: the error occurs in pp_alemfast(), which does the $_[0] in the
sub; the code looks like:

U32 lval = PL_op->op_flags & OPf_MOD;
SV** svp = av_fetch(av, PL_op->op_private, lval);
SV *sv = (svp ? *svp : &PL_sv_undef);
EXTEND(SP, 1);
if (!lval && SvGMAGICAL(sv)) /* see note in pp_helem() */
sv = sv_mortalcopy(sv);

For some reason the aelemfast opcode isn't marked as OPf_MOD, and since
in the taint case $a is already magical due to the tainting, a mortal
copy is made which then gets matched against. Thus the copy gets the
pos() magic attached rather than $a.

It's too late in the evening for my poor brain to work out the correct
fix; I suspect the OPf_MOD flag needs setting, but I may be wrong...

Dave.

--
This email is confidential, and now that you have read it you are legally
obliged to shoot yourself. Or shoot a lawyer, if you prefer. If you have
received this email in error, place it in its original wrapping and return
for a full refund. By opening this email, you accept that Elvis lives.

0 new messages