diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-04-18 21:29:52 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-04-18 21:29:52 +0000 |
| commit | fd1b35e57ce1fdce5ec1dc979ff36b7649cab0c5 (patch) | |
| tree | 1e9feb47e6e6c1723f80028ae09804c3a3aa7b7d | |
| parent | 7b0ec0f6d6a654d98e75c54815f0332ea1032b68 (diff) | |
Perl security fix for CVE-2011-1487:
ucfirst(), uc() and lc() forget to set the tainted flag if input
was marked as tainted.
http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336
http://perl5.git.perl.org/perl.git/commitdiff/539689e74a3bcb04d29e4cd9396de91a81045b99
ok millert@
| -rw-r--r-- | gnu/usr.bin/perl/patchlevel.h | 1 | ||||
| -rw-r--r-- | gnu/usr.bin/perl/pp.c | 6 | ||||
| -rw-r--r-- | gnu/usr.bin/perl/t/op/taint.t | 14 |
3 files changed, 20 insertions, 1 deletions
diff --git a/gnu/usr.bin/perl/patchlevel.h b/gnu/usr.bin/perl/patchlevel.h index 9c491104cea..418a6d6f9bb 100644 --- a/gnu/usr.bin/perl/patchlevel.h +++ b/gnu/usr.bin/perl/patchlevel.h @@ -131,6 +131,7 @@ static const char * const local_patches[] = { ,"Updated CGI to 3.51" ,"Updated Test::Simple to 0.98" ,"Updated List::Util to 1.23" + ,"CVE-2011-1487" #ifdef PERL_GIT_UNCOMMITTED_CHANGES ,"uncommitted-changes" #endif diff --git a/gnu/usr.bin/perl/pp.c b/gnu/usr.bin/perl/pp.c index 09d03661ee6..0c58262a5de 100644 --- a/gnu/usr.bin/perl/pp.c +++ b/gnu/usr.bin/perl/pp.c @@ -3949,6 +3949,8 @@ PP(pp_ucfirst) SvCUR_set(dest, need - 1); } } + if (dest != source && SvTAINTED(source)) + SvTAINT(dest); SvSETMAGIC(dest); RETURN; } @@ -4222,6 +4224,8 @@ PP(pp_uc) SvCUR_set(dest, d - (U8*)SvPVX_const(dest)); } } /* End of isn't utf8 */ + if (dest != source && SvTAINTED(source)) + SvTAINT(dest); SvSETMAGIC(dest); RETURN; } @@ -4433,6 +4437,8 @@ PP(pp_lc) SvCUR_set(dest, d - (U8*)SvPVX_const(dest)); } } + if (dest != source && SvTAINTED(source)) + SvTAINT(dest); SvSETMAGIC(dest); RETURN; } diff --git a/gnu/usr.bin/perl/t/op/taint.t b/gnu/usr.bin/perl/t/op/taint.t index 161073deb6c..4811a24ee1c 100644 --- a/gnu/usr.bin/perl/t/op/taint.t +++ b/gnu/usr.bin/perl/t/op/taint.t @@ -17,7 +17,7 @@ use Config; use File::Spec::Functions; BEGIN { require './test.pl'; } -plan tests => 302; +plan tests => 306; $| = 1; @@ -1318,6 +1318,18 @@ foreach my $ord (78, 163, 256) { unlike($err, qr/^\d+$/, 'tainted $!'); } +{ + # [perl #87336] lc/uc(first) failing to taint the returned string + my $source = "foo$TAINT"; + my $dest = lc $source; + ok(tainted($dest), "lc(tainted) taints its return value"); + $dest = lcfirst $source; + ok(tainted($dest), "lcfirst(tainted) taints its return value"); + $dest = uc $source; + ok(tainted($dest), "uc(tainted) taints its return value"); + $dest = ucfirst $source; + ok(tainted($dest), "ucfirst(tainted) taints its return value"); +} # This may bomb out with the alarm signal so keep it last SKIP: { |