Skip Menu |

This queue is for tickets about the Data-FormValidator CPAN distribution.

Maintainer(s)' notes

This is the bug queue for Data::FormValidator.

Report information
The Basics
Id: 61792
Status: open
Priority: 0/
Queue: Data-FormValidator
People
Owner: MARKSTOS [...] cpan.org
Requestors: dam [...] cpan.org
dst [...] heise.de
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 4.65
Fixed in: (no value)

History Show all quoted text
  Thu Sep 30 05:58:50 2010 dst [...] heise.de - Ticket created
Hi, When untaint_all_constraints is used, D::F::Results reports an invalid field as valid. The content is the last successful regexp match, which may be absolutely unrelated to DFV. I reproduced the bug with the attached script using Perl 5.12.1 and DFV 4.66 on a Debian Lenny system. I believe the problem is in line 809 of D::F::Results: my ($match) = scalar ($val =~ $re); if ($untaint_this && defined $match) { # pass the value through a RE that matches anything to untaint it. my ($untainted) = ($& =~ m/(.*)/s); return $untainted; } The "scalar" has been added between 4.61 and 4.66. Even if $re does not match, the scalar returns a defined value, which leads into an old $& being used. Cheers, Dennis
Subject: dfvbug.pl
#!/opt/perl/5.12/bin/perl use strict; use warnings; use Data::FormValidator; "some_unrelated_string" =~ m/^.*$/; my $profile = { untaint_all_constraints => 1, required => [qw(a)], constraint_methods => { a => qr/will_never_match/, }, }; my $results = Data::FormValidator->check({ a => 1 }, $profile); warn $results->valid('a');
  Thu Sep 30 11:04:59 2010 MARKSTOS [...] cpan.org - Taken
  Thu Sep 30 11:05:00 2010 MARKSTOS [...] cpan.org - Correspondence added
On Thu Sep 30 05:58:50 2010, dst wrote: Show quoted text
> Hi, > > When untaint_all_constraints is used, D::F::Results reports an > invalid field as valid. The content is the last successful regexp > match, which may be absolutely unrelated to DFV. I reproduced > the bug with the attached script using Perl 5.12.1 and DFV 4.66 on > a Debian Lenny system. > > I believe the problem is in line 809 of D::F::Results: > > my ($match) = scalar ($val =~ $re); > if ($untaint_this && defined $match) { > # pass the value through a RE that matches anything to untaint it. > my ($untainted) = ($& =~ m/(.*)/s); > return $untainted; > }
Thanks for the report, Dennis. Do you have a suggested fix? Thanks, Mark Stosberg
  Thu Sep 30 11:05:08 2010 The RT System itself - Status changed from 'new' to 'open'
  Tue Jun 07 04:52:45 2011 dam [...] cpan.org - Correspondence added
Subject: _create_sub_from_RE untaints a previous $& when there is no match
Hi, Today I stumbled upon this bug. На Thu, 30 Sep 2010 18:05:00 +0300, MARKSTOS написа: Show quoted text
> On Thu Sep 30 05:58:50 2010, dst wrote:
> > When untaint_all_constraints is used, D::F::Results reports an > > invalid field as valid. The content is the last successful regexp > > match, which may be absolutely unrelated to DFV. I reproduced > > the bug with the attached script using Perl 5.12.1 and DFV 4.66 on > > a Debian Lenny system.
> > Thanks for the report, Dennis. > > Do you have a suggested fix?
... and I can suggest a fix. The following patch fixes the check for a successful match by dropping 'defined' from the =~ result. According to perlop, "When used in scalar context, the return value generally indicates the success of the operation." i.e. there is no indication that the result is undefined when there is no match, it is just a boolean result. Thanks for considering. --- a/lib/Data/FormValidator/Results.pm +++ b/lib/Data/FormValidator/Results.pm @@ -807,7 +807,7 @@ sub _create_sub_from_RE { # With methods, the value is the second argument my $val = $force_method_p ? $_[1] : $_[0]; my ($match) = scalar ($val =~ $re); - if ($untaint_this && defined $match) { + if ($untaint_this && $match) { # pass the value through a RE that matches anything to untaint it. my ($untainted) = ($& =~ m/(.*)/s); return $untainted;
  Tue Jun 07 04:53:38 2011 dam [...] cpan.org - Requestor DAM added
  Tue Jun 07 09:32:27 2011 mark [...] summersault.com - Correspondence added
Subject: Re: [rt.cpan.org #61792] _create_sub_from_RE untaints a previous $& when there is no match
Date: Tue, 07 Jun 2011 09:32:13 -0400
To: bug-Data-FormValidator [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Show quoted text
> ... and I can suggest a fix. The following patch fixes the check for a > successful match by dropping 'defined' from the =~ result.
Thanks. Would you also be willing to contribute a new test suite test which illustrates the bug, and confirm that all existing tests pass with the patch applied? Mark
  Wed Jun 08 15:35:25 2011 dam [...] cpan.org - Correspondence added
CC: dst [...] heise.de
Subject: Re: [rt.cpan.org #61792] _create_sub_from_RE untaints a previous $& when there is no match
Date: Wed, 8 Jun 2011 22:35:12 +0300
To: "mark [...] summersault.com via RT" <bug-Data-FormValidator [...] rt.cpan.org>
From: Damyan Ivanov <dam [...] cpan.org>
-=| mark@summersault.com via RT, Tue, Jun 07, 2011 at 09:32:29AM -0400 |=- Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=61792 >
> > ... and I can suggest a fix. The following patch fixes the check > > for a successful match by dropping 'defined' from the =~ result.
> > Thanks. Would you also be willing to contribute a new test suite test > which illustrates the bug, and confirm that all existing tests pass with > the patch applied?
Sure, test attached. Without the patch it fails,; with the patch all tests pass. Cheers!

Message body is not shown because sender requested not to inline it.

  Wed Jun 08 15:47:18 2011 mark [...] summersault.com - Correspondence added
Subject: Re: [rt.cpan.org #61792] _create_sub_from_RE untaints a previous $& when there is no match
Date: Wed, 08 Jun 2011 15:47:10 -0400
To: bug-Data-FormValidator [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Thanks! I'll take a look. Mark
  Fri Jul 08 15:58:56 2011 MARKSTOS [...] cpan.org - Told changed from Wed Jun 08 15:47:19 2011 to Fri Jul 08 15:58:56 2011
  Wed Nov 30 14:28:19 2011 MARKSTOS [...] cpan.org - Told changed from Fri Jul 08 15:58:56 2011 to Wed Nov 30 14:28:19 2011
  Wed Nov 30 14:39:31 2011 MARKSTOS [...] cpan.org - Subject changed from (no value) to 'untainting issue: CVE-2011-2201'
  Wed Nov 30 14:44:04 2011 MARKSTOS [...] cpan.org - Correspondence added
Subject: untainting issue: CVE-2011-2201 (Stosberg connection)
I just noticed that "Dennis Stosberg" was reporter on this report. Hello there! If you didn't notice, my name is "Mark Stosberg". I think we are probably related. Here's the German site for the family, if you'd like to check: http://www.stammesverband-stursberg.com/ ### Separately, here's the patch that Fedora is using to address this bug. The patch and test look similar to what was already provided here. Now that I've updated to the subject to clearly note "CVE", this will be on my radar for a release soon. ### diff -up Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm --- Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig 2010-02-24 15:31:03.000000000 +0100 +++ Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm 2011-08- 28 08:26:22.000000000 +0200 @@ -807,7 +807,7 @@ sub _create_sub_from_RE { # With methods, the value is the second argument my $val = $force_method_p ? $_[1] : $_[0]; my ($match) = scalar ($val =~ $re); - if ($untaint_this && defined $match) { + if ($untaint_this && $match) { # pass the value through a RE that matches anything to untaint it. my ($untainted) = ($& =~ m/(.*)/s); return $untainted; diff -up Data-FormValidator-4.66/t/untaint_match_check.t.orig Data- FormValidator-4.66/t/untaint_match_check.t --- Data-FormValidator-4.66/t/untaint_match_check.t.orig 2011-08- 28 08:26:54.000000000 +0200 +++ Data-FormValidator-4.66/t/untaint_match_check.t 2011-08-28 08:26:30.000000000 +0200 @@ -0,0 +1,22 @@ +use strict; +use warnings; + +use Test::More tests => 3; + +use Data::FormValidator; + +"unrelated match" =~ /match/; + +my $result = Data::FormValidator->check( + { a => 'invalid value' }, # input data + { # validation profile + untaint_all_constraints => 1, + optional => ['a'], + constraints => { a => qr/never matches/, }, + }, +); + +ok( not $result->success ) + or diag( 'Valid: ', $result->valid ); +ok( $result->has_invalid ); +is_deeply( scalar($result->invalid), { 'a' => [ qr/never matches/ ] } );
  Wed Jan 25 22:35:21 2017 DFARRELL [...] cpan.org - Correspondence added
On Wed Nov 30 14:44:04 2011, MARKSTOS wrote: Show quoted text
> I just noticed that "Dennis Stosberg" was reporter on this report. > > Hello there! If you didn't notice, my name is "Mark Stosberg". I think > we are probably related. Here's the German site for the family, if you'd > like to check: > http://www.stammesverband-stursberg.com/ > > ### > > Separately, here's the patch that Fedora is using to address this bug. > The patch and test look similar to what was already provided here. > > Now that I've updated to the subject to clearly note "CVE", this will be > on my radar for a release soon. > > ### > > diff -up Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig > Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm > --- Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig > 2010-02-24 15:31:03.000000000 +0100 > +++ Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm 2011-08- > 28 08:26:22.000000000 +0200 > @@ -807,7 +807,7 @@ sub _create_sub_from_RE { > # With methods, the value is the second argument > my $val = $force_method_p ? $_[1] : $_[0]; > my ($match) = scalar ($val =~ $re); > - if ($untaint_this && defined $match) { > + if ($untaint_this && $match) { > # pass the value through a RE that matches anything to > untaint it. > my ($untainted) = ($& =~ m/(.*)/s); > return $untainted; > diff -up Data-FormValidator-4.66/t/untaint_match_check.t.orig Data- > FormValidator-4.66/t/untaint_match_check.t > --- Data-FormValidator-4.66/t/untaint_match_check.t.orig 2011-08- > 28 08:26:54.000000000 +0200 > +++ Data-FormValidator-4.66/t/untaint_match_check.t 2011-08-28 > 08:26:30.000000000 +0200 > @@ -0,0 +1,22 @@ > +use strict; > +use warnings; > + > +use Test::More tests => 3; > + > +use Data::FormValidator; > + > +"unrelated match" =~ /match/; > + > +my $result = Data::FormValidator->check( > + { a => 'invalid value' }, # input data > + { # validation profile > + untaint_all_constraints => 1, > + optional => ['a'], > + constraints => { a => qr/never matches/, }, > + }, > +); > + > +ok( not $result->success ) > + or diag( 'Valid: ', $result->valid ); > +ok( $result->has_invalid ); > +is_deeply( scalar($result->invalid), { 'a' => [ qr/never matches/ ] } > );
A quick glance at the source suggests this hasn't been applied yet, but I could be wrong (maybe it was solved in a different way). I've raised an issue on my r=fork https://github.com/dnmfarrell/Data-FormValidator/issues/1