fix many s/// tainting bugs

This is a re-implementation of the tainting code in pp_subst and pp_substcont. Although this fixes many bugs, because its a de-novo rewrite of the tainting parts of the code in those two functions, it's quite possible that it breaks some existing tainting behaviour. It doesn't break any existing tests, although it turns out that this area was severely under-tested anyway. The main bugs that this commit fixes are as follows, where: T = a tainted value L = pattern tainted by locale (e.g. use locale; s/\w//) Happens both with and without 'use re taint' unless specified. Happens with all modifiers (/g, /r etc) unless explicitly mentioned. $1 unexpectedly untainted: s/T// T =~ s/// under use re 'taint' original string unexpectedly untainted: s/L//, s/L//g return value unexpectedly untainted: T =~ s///g under no re 'taint' s/L//g, s/L//r return value unexpectedly tainted: s/T// s//T/r under no re 'taint' T =~ s/// under use re 'taint' s//T/ under use re 'taint' Also, with /ge, the original string becomes tainted as soon as possible (usually in the second entry to the /e code block) rather than only at the end, in code like $orig =~ s/T/...code.../ge The rationale behind the taintedness of the return value of s/// (in the non /r case), is that a boolean value shouldn't be tainted. This corresponds to the general perl tainting policy that boolean ops don't return tainted values. On the other hand, when it returns an integer (number of matches), that should be tainted. A couple of note about the old tainting code this replaces: firstly, several occurrences of the following were NOOPs, since rxtainted was U8 and the bit being ored was > 256: rxtainted |= RX_MATCH_TAINTED(rx) secondly, removing a whole bunch of the following didn't make any existing tests fail: TAINT_IF(rxtainted & 1);
author: David Mitchell <davem@iabyn.com> 2011-02-14 15:46:13 +0000
committer: David Mitchell <davem@iabyn.com> 2011-02-16 17:34:08 +0000
commit: 20be6587f85cec282e10810718c869dd958afe43 (patch)
tree: f80be6605c3f9d61ca41ac9d6c846c8701f4c2fb /perl.h
parent: c769ddc70796c6d56fa78ec22fb70caee961bcbf (diff)
download: perl-20be6587f85cec282e10810718c869dd958afe43.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/perl.h b/perl.h
index c7139cde39..72d8686587 100644
--- a/perl.h
+++ b/perl.h
@@ -541,6 +541,15 @@ register struct op *Perl_op asm(stringify(OP_IN_REGISTER));
 #define TAINT_ENV()	if (PL_tainting) { taint_env(); }
 #define TAINT_PROPER(s)	if (PL_tainting) { taint_proper(NULL, s); }
 
+/* flags used internally only within pp_subst and pp_substcont */
+#ifdef PERL_CORE
+#  define SUBST_TAINT_STR      1	/* string tainted */
+#  define SUBST_TAINT_PAT      2	/* pattern tainted */
+#  define SUBST_TAINT_REPL     4	/* replacement tainted */
+#  define SUBST_TAINT_RETAINT  8	/* use re'taint' in scope */
+#  define SUBST_TAINT_BOOLRET 16	/* return is boolean (don't taint) */
+#endif
+
 /* XXX All process group stuff is handled in pp_sys.c.  Should these
    defines move there?  If so, I could simplify this a lot. --AD  9/96.
 */
author	David Mitchell <davem@iabyn.com>	2011-02-14 15:46:13 +0000
committer	David Mitchell <davem@iabyn.com>	2011-02-16 17:34:08 +0000
commit	20be6587f85cec282e10810718c869dd958afe43 (patch)
tree	f80be6605c3f9d61ca41ac9d6c846c8701f4c2fb /perl.h
parent	c769ddc70796c6d56fa78ec22fb70caee961bcbf (diff)
download	perl-20be6587f85cec282e10810718c869dd958afe43.tar.gz