This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
[inseparable changes from match from perl-5.003_90 to perl-5.003_91]
[perl5.git] / t / op / taint.t
CommitLineData
1e422769
PP
1#!./perl -T
2#
3# Taint tests by Tom Phoenix <rootbeer@teleport.com>.
4#
5# I don't claim to know all about tainting. If anyone sees
6# tests that I've missed here, please add them. But this is
7# better than having no tests at all, right?
8#
9
10BEGIN {
11 chdir 't' if -d 't';
12 @INC = '../lib' if -d '../lib';
13}
14
15use strict;
16use Config;
17
18my $Is_VMS = $^O eq 'VMS';
19my $Invoke_Perl = $Is_VMS ? 'MCR Sys$Disk:[]Perl.' : './perl';
20if ($Is_VMS) {
21 eval <<EndOfCleanup;
22 END {
23 \$ENV{PATH} = '';
24 warn "# Note: logical name 'PATH' may have been deleted\n";
25 \$ENV{IFS} = "$ENV{IFS}";
26 \$ENV{'DCL\$PATH'} = "$ENV{'DCL$PATH'}";
27 }
28EndOfCleanup
29}
30
31# Sources of taint:
32# The empty tainted value, for tainting strings
33my $TAINT = substr($^X, 0, 0);
34# A tainted zero, useful for tainting numbers
35my $TAINT0 = 0 + $TAINT;
36
37# This taints each argument passed. All must be lvalues.
38# Side effect: It also stringifies them. :-(
39sub taint_these (@) {
40 for (@_) { $_ .= $TAINT }
41}
42
43# How to identify taint when you see it
44sub any_tainted (@) {
45 not eval { join("",@_), kill 0; 1 };
46}
47sub tainted ($) {
48 any_tainted @_;
49}
50sub all_tainted (@) {
51 for (@_) { return 0 unless tainted $_ }
52 1;
53}
54
55sub test ($$;$) {
56 my($serial, $boolean, $diag) = @_;
57 if ($boolean) {
58 print "ok $serial\n";
59 } else {
60 print "not ok $serial\n";
61 for (split m/^/m, $diag) {
62 print "# $_";
63 }
64 print "\n" unless
65 $diag eq ''
66 or substr($diag, -1) eq "\n";
67 }
68}
69
70# We need an external program to call.
71my $ECHO = "./echo$$";
72END { unlink $ECHO }
73open PROG, "> $ECHO" or die "Can't create $ECHO: $!";
74print PROG 'print "@ARGV\n"', "\n";
75close PROG;
76my $echo = "$Invoke_Perl $ECHO";
77
78print "1..96\n";
79
80# First, let's make sure that Perl is checking the dangerous
81# environment variables. Maybe they aren't set yet, so we'll
82# taint them ourselves.
83{
84 $ENV{'DCL$PATH'} = '' if $Is_VMS;
85
86 $ENV{PATH} = $TAINT;
87 $ENV{IFS} = '';
88 test 1, eval { `$echo 1` } eq '';
89 test 2, $@ =~ /^Insecure \$ENV{PATH}/, $@;
90
91 $ENV{PATH} = '';
92 $ENV{IFS} = $TAINT;
93 test 3, eval { `$echo 1` } eq '';
94 test 4, $@ =~ /^Insecure \$ENV{IFS}/, $@;
95
96 my ($tmp) = grep { (stat)[2] & 2 } '/tmp', '/var/tmp', '/usr/tmp';
97 if ($tmp) {
98 $ENV{PATH} = $tmp;
99 test 5, eval { `$echo 1` } eq '';
100 test 6, $@ =~ /^Insecure directory in \$ENV{PATH}/, $@;
101 }
102 else {
103 print "# can't find writeable directory to test PATH tainting\n";
104 for (5..6) { print "ok $_\n" }
105 }
106
107 $ENV{PATH} = '';
108 $ENV{IFS} = '';
109 test 7, eval { `$echo 1` } eq "1\n";
110 test 8, $@ eq '', $@;
111
112 if ($Is_VMS) {
113 $ENV{'DCL$PATH'} = $TAINT;
114 test 9, eval { `$echo 1` } eq '';
115 test 10, $@ =~ /^Insecure \$ENV{DCL\$PATH}/, $@;
116 $ENV{'DCL$PATH'} = '';
117 }
118 else {
119 print "# This is not VMS\n";
120 for (9..10) { print "ok $_\n"; }
121 }
122}
123
124# Let's see that we can taint and untaint as needed.
125{
126 my $foo = $TAINT;
127 test 11, tainted $foo;
128
129 $foo = "foo";
130 test 12, not tainted $foo;
131
132 taint_these($foo);
133 test 13, tainted $foo;
134
135 my @list = 1..10;
136 test 14, not any_tainted @list;
137 taint_these @list[1,3,5,7,9];
138 test 15, any_tainted @list;
139 test 16, all_tainted @list[1,3,5,7,9];
140 test 17, not any_tainted @list[0,2,4,6,8];
141
142 ($foo) = $foo =~ /(.+)/;
143 test 18, not tainted $foo;
144
145 $foo = $1 if ('bar' . $TAINT) =~ /(.+)/;
146 test 19, not tainted $foo;
147 test 20, $foo eq 'bar';
148
149 my $pi = 4 * atan2(1,1) + $TAINT0;
150 test 21, tainted $pi;
151
152 ($pi) = $pi =~ /(\d+\.\d+)/;
153 test 22, not tainted $pi;
154 test 23, sprintf("%.5f", $pi) eq '3.14159';
155}
156
157# How about command-line arguments? The problem is that we don't
158# always get some, so we'll run another process with some.
159{
160 my $arg = "./arg$$";
161 open PROG, "> $arg" or die "Can't create $arg: $!";
162 print PROG q{
163 eval { join('', @ARGV), kill 0 };
164 exit 0 if $@ =~ /^Insecure dependency/;
165 print "# Oops: \$@ was [$@]\n";
166 exit 1;
167 };
168 close PROG;
169 print `$Invoke_Perl "-T" $arg and some suspect arguments`;
170 test 24, !$?, "Exited with status $?";
171 unlink $arg;
172}
173
174# Reading from a file should be tainted
175{
176 my $file = './perl' . $Config{exe_ext};
177 test 25, open(FILE, $file), "Couldn't open '$file': $!";
178
179 my $block;
180 sysread(FILE, $block, 100);
181 my $line = <FILE>; # Should "work"
182 close FILE;
183 test 26, tainted $block;
184 test 27, tainted $line;
185}
186
187# Globs should be tainted.
188{
189 my @globs = <*>;
190 test 28, all_tainted @globs;
191
192 @globs = glob '*';
193 test 29, all_tainted @globs;
194}
195
196# Output of commands should be tainted
197{
198 my $foo = `$echo abc`;
199 test 30, tainted $foo;
200}
201
202# Certain system variables should be tainted
203{
204 test 31, all_tainted $^X, $0;
205}
206
207# Results of matching should all be untainted
208{
209 my $foo = "abcdefghi" . $TAINT;
210 test 32, tainted $foo;
211
212 $foo =~ /def/;
213 test 33, not any_tainted $`, $&, $';
214
215 $foo =~ /(...)(...)(...)/;
216 test 34, not any_tainted $1, $2, $3, $+;
217
218 my @bar = $foo =~ /(...)(...)(...)/;
219 test 35, not any_tainted @bar;
220
221 test 36, tainted $foo; # $foo should still be tainted!
222 test 37, $foo eq "abcdefghi";
223}
224
225# Operations which affect files can't use tainted data.
226{
227 test 38, eval { chmod 0, $TAINT } eq '', 'chmod';
228 test 39, $@ =~ /^Insecure dependency/, $@;
229
230 test 40, eval { truncate 'NoSuChFiLe', $TAINT0 } eq '', 'truncate';
231 test 41, $@ =~ /^Insecure dependency/, $@;
232
233 test 42, eval { rename '', $TAINT } eq '', 'rename';
234 test 43, $@ =~ /^Insecure dependency/, $@;
235
236 test 44, eval { unlink $TAINT } eq '', 'unlink';
237 test 45, $@ =~ /^Insecure dependency/, $@;
238
239 test 46, eval { utime $TAINT } eq '', 'utime';
240 test 47, $@ =~ /^Insecure dependency/, $@;
241
242 if ($Config{d_chown}) {
243 test 48, eval { chown -1, -1, $TAINT } eq '', 'chown';
244 test 49, $@ =~ /^Insecure dependency/, $@;
245 }
246 else {
247 print "# chown() is not available\n";
248 for (48..49) { print "ok $_\n" }
249 }
250
251 if ($Config{d_link}) {
252 test 50, eval { link $TAINT, '' } eq '', 'link';
253 test 51, $@ =~ /^Insecure dependency/, $@;
254 }
255 else {
256 print "# link() is not available\n";
257 for (50..51) { print "ok $_\n" }
258 }
259
260 if ($Config{d_symlink}) {
261 test 52, eval { symlink $TAINT, '' } eq '', 'symlink';
262 test 53, $@ =~ /^Insecure dependency/, $@;
263 }
264 else {
265 print "# symlink() is not available\n";
266 for (52..53) { print "ok $_\n" }
267 }
268}
269
270# Operations which affect directories can't use tainted data.
271{
272 test 54, eval { mkdir $TAINT0, $TAINT } eq '', 'mkdir';
273 test 55, $@ =~ /^Insecure dependency/, $@;
274
275 test 56, eval { rmdir $TAINT } eq '', 'rmdir';
276 test 57, $@ =~ /^Insecure dependency/, $@;
277
278 test 58, eval { chdir $TAINT } eq '', 'chdir';
279 test 59, $@ =~ /^Insecure dependency/, $@;
280
281 if ($Config{d_chroot}) {
282 test 60, eval { chroot $TAINT } eq '', 'chroot';
283 test 61, $@ =~ /^Insecure dependency/, $@;
284 }
285 else {
286 print "# chroot() is not available\n";
287 for (60..61) { print "ok $_\n" }
288 }
289}
290
291# Some operations using files can't use tainted data.
292{
293 my $foo = "imaginary library" . $TAINT;
294 test 62, eval { require $foo } eq '', 'require';
295 test 63, $@ =~ /^Insecure dependency/, $@;
296
297 my $filename = "./taintB$$"; # NB: $filename isn't tainted!
298 END { unlink $filename if defined $filename }
299 $foo = $filename . $TAINT;
300 unlink $filename; # in any case
301
302 test 64, eval { open FOO, $foo } eq '', 'open for read';
303 test 65, $@ eq '', $@; # NB: This should be allowed
304 test 66, $! == 2; # File not found
305
306 test 67, eval { open FOO, "> $foo" } eq '', 'open for write';
307 test 68, $@ =~ /^Insecure dependency/, $@;
308}
309
310# Commands to the system can't use tainted data
311{
312 my $foo = $TAINT;
313
314 if ($^O eq 'amigaos') {
315 print "# open(\"|\") is not available\n";
316 for (69..72) { print "ok $_\n" }
317 }
318 else {
319 test 69, eval { open FOO, "| $foo" } eq '', 'popen to';
320 test 70, $@ =~ /^Insecure dependency/, $@;
321
322 test 71, eval { open FOO, "$foo |" } eq '', 'popen from';
323 test 72, $@ =~ /^Insecure dependency/, $@;
324 }
325
326 test 73, eval { exec $TAINT } eq '', 'exec';
327 test 74, $@ =~ /^Insecure dependency/, $@;
328
329 test 75, eval { system $TAINT } eq '', 'system';
330 test 76, $@ =~ /^Insecure dependency/, $@;
331
332 $foo = "*";
333 taint_these $foo;
334
335 test 77, eval { `$echo 1$foo` } eq '', 'backticks';
336 test 78, $@ =~ /^Insecure dependency/, $@;
337
338 if ($Is_VMS) { # wildcard expansion doesn't invoke shell, so is safe
339 test 79, join('', eval { glob $foo } ) ne '', 'globbing';
340 test 80, $@ eq '', $@;
341 }
342 else {
343 test 79, join('', eval { glob $foo } ) eq '', 'globbing';
344 test 80, $@ =~ /^Insecure dependency/, $@;
345 }
346}
347
348# Operations which affect processes can't use tainted data.
349{
350 test 81, eval { kill 0, $TAINT } eq '', 'kill';
351 test 82, $@ =~ /^Insecure dependency/, $@;
352
353 if ($Config{d_setpgrp}) {
354 test 83, eval { setpgrp 0, $TAINT } eq '', 'setpgrp';
355 test 84, $@ =~ /^Insecure dependency/, $@;
356 }
357 else {
358 print "# setpgrp() is not available\n";
359 for (83..84) { print "ok $_\n" }
360 }
361
362 if ($Config{d_setprior}) {
363 test 85, eval { setpriority 0, $TAINT, $TAINT } eq '', 'setpriority';
364 test 86, $@ =~ /^Insecure dependency/, $@;
365 }
366 else {
367 print "# setpriority() is not available\n";
368 for (85..86) { print "ok $_\n" }
369 }
370}
371
372# Some miscellaneous operations can't use tainted data.
373{
374 if ($Config{d_syscall}) {
375 test 87, eval { syscall $TAINT } eq '', 'syscall';
376 test 88, $@ =~ /^Insecure dependency/, $@;
377 }
378 else {
379 print "# syscall() is not available\n";
380 for (87..88) { print "ok $_\n" }
381 }
382
383 {
384 my $foo = "x" x 979;
385 taint_these $foo;
386 local *FOO;
387 my $temp = "./taintC$$";
388 END { unlink $temp }
389 test 89, open(FOO, "> $temp"), "Couldn't open $temp for write: $!";
390
391 test 90, eval { ioctl FOO, $TAINT, $foo } eq '', 'ioctl';
392 test 91, $@ =~ /^Insecure dependency/, $@;
393
394 if ($Config{d_fcntl}) {
395 test 92, eval { fcntl FOO, $TAINT, $foo } eq '', 'fcntl';
396 test 93, $@ =~ /^Insecure dependency/, $@;
397 }
398 else {
399 print "# fcntl() is not available\n";
400 for (92..93) { print "ok $_\n" }
401 }
402
403 close FOO;
404 }
405}
406
407# Some tests involving references
408{
409 my $foo = 'abc' . $TAINT;
410 my $fooref = \$foo;
411 test 94, not tainted $fooref;
412 test 95, tainted $$fooref;
413 test 96, tainted $foo;
414}