From 1738e041e86c4796d194727eae67369600abf920 Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Tue, 13 May 2014 14:18:06 +0100
Subject: [perl #121854] use re 'taint' regression

Commit v5.19.8-533-g63baef5 changed the handling of locale-dependent
regexes so that the pattern was considered tainted at compile-time, rather
than determining it each time at run-time whenever it executed a
locale-dependent node. Unfortunately due to the conflating of two flags,
RXf_TAINTED and RXf_TAINTED_SEEN, it had the side effect of permanently
marking a pattern as tainted once it had had a single tainted result.

E.g.

    use re qw(taint);
    use Scalar::Util qw(tainted);
    for ($^X, "abc") {
        /(.*)/ or die;
        print "not " unless tainted("$1"); print "tainted\n";
    };

which from 5.19.9 onwards output:

    tainted
    tainted

but with this commit (and with 5.19.8 and earlier), it now outputs:

    tainted
    not tainted

The RXf_TAINTED flag indicates that the pattern itself is tainted, e.g.

    $r = qr/$tainted_value/

while the RXf_TAINTED_SEEN flag means that the results of the last match
are tainted, e.g.

    use re 'tainted';
    $tainted =~ /(.*)/;
    # $1 is tainted

Pre 63baef5, the code used to look like:

    at run-time:

        turn off RXf_TAINTED_SEEN;
        while (nodes to execute) {
            switch(node) {
            case
                BOUNDL: /* and other locale-specific ops */
                    turn on RXf_TAINTED_SEEN;
                    ...;
            }
        }
        if (tainted || RXf_TAINTED)
            turn on RXf_TAINTED_SEEN;

63baef5 changed it to:

    at compile-time:

        if (pattern has locale ops)
            turn on RXf_TAINTED_SEEN;

    at run-time:

        while (nodes to execute) {
            ...
        }
        if (tainted || RXf_TAINTED)
            turn on RXf_TAINTED_SEEN;

This commit changes it to:

    at compile-time;

        if (pattern has locale ops)
            turn on RXf_TAINTED;

    at run-time:

        turn off RXf_TAINTED_SEEN;
        while (nodes to execute) {
            ...
        }
        if (tainted || RXf_TAINTED)
            turn on RXf_TAINTED_SEEN;
---
 regexp.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'regexp.h')

diff --git a/regexp.h b/regexp.h
index d32e669a4c..db7ae8be01 100644
--- a/regexp.h
+++ b/regexp.h
@@ -415,8 +415,7 @@ get_regex_charset_name(const U32 flags, STRLEN* const lenp)
 /* Copy and tainted info */
 #define RXf_COPY_DONE   	(1<<(RXf_BASE_SHIFT+16))
 
-/* during execution: pattern temporarily tainted by executing locale ops;
- * post-execution: $1 et al are tainted */
+/* post-execution: $1 et al are tainted */
 #define RXf_TAINTED_SEEN	(1<<(RXf_BASE_SHIFT+17))
 /* this pattern was tainted during compilation */
 #define RXf_TAINTED		(1<<(RXf_BASE_SHIFT+18))
-- 
cgit v1.2.1