Skip Menu |

This queue is for tickets about the Crypt-Skip32-XS CPAN distribution.

Report information
The Basics
Id: 98595
Status: rejected
Priority: 0/
Queue: Crypt-Skip32-XS
People
Owner: Nobody in particular
Requestors: bluefeet [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Sep 03 16:12:54 2014 bluefeet [...] gmail.com - Ticket created
Subject: SvPOK call is not correct
Date: Wed, 3 Sep 2014 13:12:45 -0700
To: bug-Crypt-Skip32-XS [...] rt.cpan.org
From: Aran Deltac <bluefeet [...] gmail.com>
I recently installed Crypt::Skip32::XS and it started failing with the error at this line: if (! SvPOK(key)) { my_croak("key must be an untainted string scalar"); } I'm not an XS expert, but I've been banging my head on this for a couple hours and my research has found that SvPOK does not mean "untaunted string scalar". All it is is a flag that means the character data may be accessed in the SvPVX value. That's all. Yes, untainted strings often end up in SvPVX but that is not always the case. Here's a reproducible example (make sure Crypt::Skip32::XS is installed): perl -MCrypt::Skip32 -e '$k='abcdefghij'; $k=~m{^(.+)$}; Crypt::Skip32->new( $1 )' Which then produces: key must be an untainted string scalar at -e line 1. But if I quote $1: perl -MCrypt::Skip32 -e '$k='abcdefghij'; $k=~m{^(.+)$}; Crypt::Skip32->new( "$1" )' There are no errors as quoting the $1 re-creates the scalar. This is an example of a variable that is not tainted, and is a string scalar, but fails for SvPOK. There are other ways to get the same situation, not just with regex captures. Aran
  Wed Sep 03 18:08:46 2014 gray [...] cpan.org - Correspondence added
On Wed Sep 03 16:12:54 2014, bluefeet@gmail.com wrote: Show quoted text
> I recently installed Crypt::Skip32::XS and it started failing with the > error at this line: > > if (! SvPOK(key)) { > my_croak("key must be an untainted string scalar"); > } > > I'm not an XS expert, but I've been banging my head on this for a couple > hours and my research has found that SvPOK does not mean "untaunted string > scalar". All it is is a flag that means the character data may be accessed > in the SvPVX value. That's all. Yes, untainted strings often end up in > SvPVX but that is not always the case. > > Here's a reproducible example (make sure Crypt::Skip32::XS is installed): > > perl -MCrypt::Skip32 -e '$k='abcdefghij'; $k=~m{^(.+)$}; > Crypt::Skip32->new( $1 )' > > Which then produces: > > key must be an untainted string scalar at -e line 1. > > But if I quote $1: > > perl -MCrypt::Skip32 -e '$k='abcdefghij'; $k=~m{^(.+)$}; > Crypt::Skip32->new( "$1" )' > > There are no errors as quoting the $1 re-creates the scalar. This is an > example of a variable that is not tainted, and is a string scalar, but > fails for SvPOK. There are other ways to get the same situation, not just > with regex captures. > > Aran
I probably copied that from Crypt::Rijndael which has the same check and identical error message. In fact many other Crypt modules use the same check. $1 is magical, which you can see with Devel::Peek. I'm fine with it failing on magical scalars. FYI, it's not smart to pass match variables as arguments to subs. If the sub performs a regex before using the value in the argument, it gets clobbered.
  Wed Sep 03 18:08:47 2014 The RT System itself - Status changed from 'new' to 'open'
  Wed Sep 03 18:08:48 2014 gray [...] cpan.org - Status changed from 'open' to 'rejected'