Item8923: $ENV{PATH} isn't dirty
Priority: Urgent
Current State: Closed
Released In:
Target Release: n/a
Applies To: Engine
Component:
Branches:
The TAINT function in Assert.pm relies on $ENV{PATH} being tainted. However, I just did a bunch of tests on my Debian with Perl 5.10, and it isn't. So we need some other way of generating tainted input.
Background:
man perlsec states:
You may not use data derived from outside your program to affect
something else outside your program -- at least, not by accident. All
command line arguments, environment variables, locale information (see
perllocale), results of certain system calls ("readdir()",
"readlink()", the variable of "shmread()", the messages returned by
"msgrcv()", the password, gcos and shell fields returned by the
"getpwxxx()" calls), and all file input are marked as "tainted".
and
perl -T -e 'eval $ENV{PATH}'
shows it is indeed tainted. But Foswiki (in it's infinite wisdom) has
{SafeEnvPath}
whish sets
$ENV{PATH}
with an untainted value.
So, we need another way of getting tainted string data. Environment vars differ from platform to platform; PATH is just about the only consistent one. However the locale functions are pretty standard, and
perl -T -e 'use locale; eval lc("x")'
should be OK everywhere.
Priority is Urgent because this only affects the TAINT function, which is used in unit tests.
--
CrawfordCurrie - 18 Apr 2010