Bug #16917 for MailTools: Mail::Address taints its data due to 'use locale'

Wed Jan 04 15:21:26 2006 Guest - Ticket created

Subject:

Mail::Address taints its data due to 'use locale'

Hi, Mail::Address taints its data. Consider: #!/usr/bin/perl -wT use strict; use Scalar::Util qw(tainted); use Mail::Address; my @a = map { $_->address } Mail::Address->parse('user@domain.invalid'); warn("tainted: $a[0]") if tainted($a[0]); This outputs tainted: user@domain.invalid at ./a.pl line 8. for me on Perl 5.8.4 and 5.8.7 on Debian GNU/Linux. Clearly the input data was not tainted here, but the output is. This happens because Mail::Address has 'use locale' in effect, and the regexps at the end of _tokenise(), lines 122-125, match for whitespace (\s). This taints the data as documented in the perllocale document. I don't have a good patch, but this is unexpected behaviour and I think it should be at least documented. Cheers, -- Niko Tyni ntyni@iki.fi

Thu Jan 05 04:38:02 2006 MARKOV [...] cpan.org - Correspondence added

Yes, locale is the cause. I got this question some time ago as well, and couldn't think of any good reason to have locale support in the module. E-mail simply is ASCII. IMO it is a relict of the first attempts to support Unicode with Perl, in the old days when Graham Barr was still maintainer of this module. It may cause unexpected behavior for the average module user. Besides, Mail::Address doesn't support charset-encodings well enough, so shouldn't try unicode/locales in the first place. With the chance that some rare applications may break a little, I will remove this 'use locale'. Is was already away in my working version of the module, but now also released to CPAN (MailTools-v1.68)

Thu Jan 05 04:38:03 2006 MARKOV [...] cpan.org - Status changed from 'new' to 'resolved'