| Subject: | Taint mode problem with $AUTOLOAD, Perl 5.10 |
The W3C Markup Validator and Link Checker are affected by an apparent
$AUTOLOAD tainting issue in LWP with Perl 5.10 - see "$AUTOLOAD can now
be tainted" in its perldelta.
I haven't managed to produce a minimal test case for this, but both the
above above mentioned applications are running as CGI scripts.
For example:
http://qa-dev.w3.org/wmvs/HEAD/check?uri=http%3A%2F%2Fqa-dev.w3.org%2F&charset=(detect+automatically)&doctype=Inline&ss=1&group=0&user-agent=W3C_Validator%2F1.603
-> Insecure dependency in eval while running with -T switch at
/usr/local/share/perl/5.10.0/HTTP/Message.pm line 413.
If the "user-agent" query string parameter is dropped from the above,
the problem does not occur. I'm not sure I understand what's going on;
why is the method name tainted in HTTP::Message::AUTOLOAD? I can
understand the data passed to agent() being tainted, but that shouldn't
trigger this, right? Validator's affected source code can be viewed
e.g. at
http://dev.w3.org/cvsweb/~checkout~/validator/httpd/cgi-bin/check?rev=1.603&content-type=text/plain
The attached patch seems to fix the immediate problem, but as said I
don't claim to understand this fully, nor obviously if this is the best
way to deal with the problem. Thoughts?
| Subject: | lwp-untaint.patch |
diff --git a/lib/HTTP/Message.pm b/lib/HTTP/Message.pm
index 12acdfa..4c15fb2 100644
--- a/lib/HTTP/Message.pm
+++ b/lib/HTTP/Message.pm
@@ -404,7 +404,7 @@ sub _stale_content {
# delegate all other method calls the the _headers object.
sub AUTOLOAD
{
- my $method = substr($AUTOLOAD, rindex($AUTOLOAD, '::')+2);
+ my ($method) = ($AUTOLOAD =~ /^.*::(.+)$/); # untaint
return if $method eq "DESTROY";
# We create the function here so that it will not need to be