Bug #40511 for Crypt-Rijndael: tainted key fails with misleading "key must be a string scalar"

RT for rt.cpan.org

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Crypt-Rijndael CPAN distribution.

Report information

The Basics

Id:	40511
Status:	resolved
Priority:	0/
Queue:	Crypt-Rijndael

People

Owner:	Nobody in particular
Requestors:	dean [...] cs.serenevy.net
Cc:
AdminCc:

Bug Information

Severity:	(no value)
Broken in:	1.06
Fixed in:	(no value)

History Show all quoted text

Wed Oct 29 20:13:21 2008 dean [...] cs.serenevy.net - Ticket created

Subject:

tainted key fails with misleading "key must be a string scalar"

In taint mode a tainted key value issues the misleading "key must be a string scalar" error due to failing SvPOK check. Either alter test to accept tainted keys or alter error message to indicate that untainting may be necessary. To recreate: #!/usr/bin/perl -wT use strict; use Crypt::Rijndael; my $key = substr($^X,0,0) . "a"x32; Crypt::Rijndael->new( $key, Crypt::Rijndael::MODE_CBC );

Tue Nov 04 03:28:00 2008 bdfoy [...] cpan.org - Correspondence added

On Wed Oct 29 20:13:21 2008, dean@cs.serenevy.net wrote: Show quoted text

> In taint mode a tainted key value issues the misleading "key must be a > string scalar" error due to failing SvPOK check. Either alter test to > accept tainted keys or alter error message to indicate that untainting > may be necessary.

I've updated the error message and uploaded 1.07_02 to PAUSE to let the CPAN Testers have a wack at it. I'm not a big internals guy, so if someone wants to use tainted data as an initialization vector, send me the patch.

Tue Nov 04 03:28:01 2008 The RT System itself - Status changed from 'new' to 'open'

Tue Nov 04 03:28:02 2008 bdfoy [...] cpan.org - Status changed from 'open' to 'resolved'