| Subject: | Taint mode troubles with set_extension |
Running in taint mode, I happened to fetch a value for set_extensions from a file.
I get an error message that has nothing to do with tainted data, and sent me on a long chase for "undef" in a hash entry.
The error should either mention tainted data as a possibility, or die with a true tainted data exception.
Here's the case (simplified):
my %aiaSection;
$ifile = readlink( $ifile ) if( -l $ifile ); # This will be tainted if -l is true
$ifile = (fileparse( $ifile ))[0];
$aiaSection{'caIssuers;URI'} = $ifile;
$cert->set_extension( authorityInfoAccess => '@aia_section', aia_section => \%aiaSection, );
Here's the error:
bad structure: hash contains an undef value at /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/Crypt/OpenSSL/CA.pm line 1920.
It appears that the tainted value causes char0_value to return a zero-length string, and SvPOK then makes it look undef...
And here is a dump (Data::Dumper::Dumper) of the arguments just before the error (Note that some other entries were filled in when this was captured, but it was the caIssuers that caused the problem):
$VAR1 = 'authorityInfoAccess';
$VAR2 = '@aia_section';
$VAR3 = 'aia_section';
$VAR4 = {
'OCSP;URI.1' => 'http://security1.example.net:2560/ocsp/root',
'OCSP;URI.2' => 'http://security2.example.net:2560/ocsp/root',
'caIssuers;URI' => 'http://security.example.net/ca/1b86ad992cd90868d83f51445df4db.pem'
};
Note that there is nothing undefined.
untainting the value solved the problem.
An older version, of Perl on Fedora:
This is perl, v5.8.8 built for i386-linux-thread-multi
Linux overkill 2.6.22.14-72.fc6 #1 SMP Wed Nov 21 15:12:59 EST 2007 i686 i686 i386 GNU/Linux