Bug #84879 for Encode: Encode::encode and Encode::decode gratuitously launders tainted data

> The result of Encode::encode or Encode::decode > is not tainted, even if given a tainted argument. > > There is no excuse for such gratuitous laundering > of data. It subverts usefulness of Perl taint > protection mechanism and can open security holes > in applications using Encode which are unaware of > this bug (here is one example: [rt.cpan.org #82294]). > > The bug is not new and is not specific to recent > versions of perl or versions of the module Encode > (tested with Encode 2.49, 2.44, 2.42, 2.35, ...). > > Some more security conscious existing applications > are already jumping hoops providing a workaround, > but this is not something which an application > should be required to do. > > The following test program illustrates the problem: > > > #!/usr/bin/perl -T > use strict; > use Encode qw(encode decode); > use Scalar::Util qw(tainted); > > printf("Encode %s\n", Encode->VERSION); > > my $str = "abc" . substr($ENV{PATH},0,0); # tainted string > my $r; > > $r = encode("ASCII", $str); > warn "encode laundering\n" if tainted($str) && !tainted($r); > > $r = encode("UTF-8", $str); > warn "encode laundering\n" if tainted($str) && !tainted($r); > > $r = decode("ISO-8859-1", $str); > warn "decode laundering\n" if tainted($str) && !tainted($r); > > > There is a related PR 64642 (Tainted values have the taint flag > cleared when encoded), which addresses only the encoding half > of the problem. It is disheartening that it is labeled under > severity "wishlist", where in fact it is genuine security issue. > > As the Encode is a core module, this issue is also tracked > as [perl #117771].