Bug #48654 for Template-Toolkit: Using TT causes unrelated unicode string to become tainted when regex substitution applied

This is distilled from https://bugzilla.mozilla.org/show_bug.cgi?id=509794 This is a really odd bug. On perl 5.8.8 (not 5.10.0), with TT 2.22 (and earlier versions) with the XS stash, using Template Toolkit causes a totally unrelated unicode string to become tainted when a regex substitution is applied to it. Run the attached file as |perl -wT test.cgi comment=test| to see this. The guts of the script is: my $message = ''; my $ttext = <<EOT; [% USE CGI %] [% IF CGI.param("comment") && CGI.param("comment").length > 0 %] [% END %] EOT $template->process(\$ttext, {}, \$message); my $a = 'x'; my $b = "test\x{2012}unicode"; my $summary = $a . ':' . $b; # Running the following line causes $summary to become tainted $summary =~ s/^[^:]+://; The following options work around the bug: * commenting out the call to $template->process * Using the pure-perl stash ($Template::Config::Stash = 'Template::Stash') * Not passing in a comment parameter to the script * Changing the template to any of: - [% IF CGI.param("comment").defined && CGI.param("comment").length > 0 %] - Remove the IF, ie just having [% CGI.param("comment") && CGI.param("comment").length > 0 %] - [% comment = CGI.param("comment") %][% IF comment && comment.length > 0 %] * Tweaking the regexp in various ways * Not generating $summary through string concatenation. Its possible that this is a perl bug, since it doesn't happen in 5.10, but not using the XS stash also fixes it, so it could be TT. Either way, its really odd The failing machine is centos 5.3 (32 bit), and the working machine is F11 (x86_64)