Item8923: $ENV{PATH} isn't dirty

The TAINT function in Assert.pm relies on $ENV{PATH} being tainted. However, I just did a bunch of tests on my Debian with Perl 5.10, and it isn't. So we need some other way of generating tainted input.

Background:

man perlsec states:

You may not use data derived from outside your program to affect something else outside your program -- at least, not by accident. All command line arguments, environment variables, locale information (see perllocale), results of certain system calls ("readdir()", "readlink()", the variable of "shmread()", the messages returned by "msgrcv()", the password, gcos and shell fields returned by the "getpwxxx()" calls), and all file input are marked as "tainted".

and perl -T -e 'eval $ENV{PATH}' shows it is indeed tainted. But Foswiki (in it's infinite wisdom) has {SafeEnvPath} whish sets $ENV{PATH} with an untainted value.

So, we need another way of getting tainted string data. Environment vars differ from platform to platform; PATH is just about the only consistent one. However the locale functions are pretty standard, and perl -T -e 'use locale; eval lc("x")' should be OK everywhere.

Priority is Urgent because this only affects the TAINT function, which is used in unit tests.

-- CrawfordCurrie - 18 Apr 2010

Commenting is disabled while not logged in