3 # Taint tests by Tom Phoenix <rootbeer@teleport.com>.
5 # I don't claim to know all about tainting. If anyone sees
6 # tests that I've missed here, please add them. But this is
7 # better than having no tests at all, right?
14 skip_all_if_miniperl("no dynamic loading on miniperl, no re");
24 use vars qw($ipcsysv); # did we manage to load IPC::SysV?
26 my ($old_env_path, $old_env_dcl_path, $old_env_term);
28 $old_env_path = $ENV{'PATH'};
29 $old_env_dcl_path = $ENV{'DCL$PATH'};
30 $old_env_term = $ENV{'TERM'};
31 if ($^O eq 'VMS' && !defined($Config{d_setenv})) {
32 $ENV{PATH} = $ENV{PATH};
33 $ENV{TERM} = $ENV{TERM} ne ''? $ENV{TERM} : 'dummy';
35 if ($Config{'extensions'} =~ /\bIPC\/SysV\b/
36 && ($Config{d_shm} || $Config{d_msg})) {
37 eval { require IPC::SysV };
40 IPC::SysV->import(qw(IPC_PRIVATE IPC_RMID IPC_CREAT S_IRWXU IPC_NOWAIT));
45 my $Is_VMS = $^O eq 'VMS';
46 my $Is_MSWin32 = $^O eq 'MSWin32';
47 my $Is_NetWare = $^O eq 'NetWare';
48 my $Is_Dos = $^O eq 'dos';
49 my $Is_Cygwin = $^O eq 'cygwin';
50 my $Is_OpenBSD = $^O eq 'openbsd';
51 my $Is_MirBSD = $^O eq 'mirbsd';
52 my $Invoke_Perl = $Is_VMS ? 'MCR Sys$Disk:[]Perl.exe' :
53 $Is_MSWin32 ? '.\perl' :
54 $Is_NetWare ? 'perl' :
56 my @MoreEnv = qw/IFS CDPATH ENV BASH_ENV/;
60 for $x ('DCL$PATH', @MoreEnv) {
61 ($old{$x}) = $ENV{$x} =~ /^(.*)$/ if exists $ENV{$x};
63 # VMS note: PATH and TERM are automatically created by the C
64 # library in VMS on reference to the their keys in %ENV.
65 # There is currently no way to determine if they did not exist
66 # before this test was run.
69 \$ENV{PATH} = \$old_env_path;
70 warn "# Note: logical name 'PATH' may have been created\n";
71 \$ENV{'TERM'} = \$old_env_term;
72 warn "# Note: logical name 'TERM' may have been created\n";
73 \@ENV{keys %old} = values %old;
74 if (defined \$old_env_dcl_path) {
75 \$ENV{'DCL\$PATH'} = \$old_env_dcl_path;
77 delete \$ENV{'DCL\$PATH'};
84 # The empty tainted value, for tainting strings
85 my $TAINT = substr($^X, 0, 0);
86 # A tainted zero, useful for tainting numbers
93 # This taints each argument passed. All must be lvalues.
94 # Side effect: It also stringifies them. :-(
96 for (@_) { $_ .= $TAINT }
99 # How to identify taint when you see it
101 local $@; # Don't pollute caller's value.
102 not eval { join("",@_), kill 0; 1 };
107 local $::Level = $::Level + 1;
108 ok(tainted($thing), @_);
113 local $::Level = $::Level + 1;
114 ok(!tainted($thing), @_);
118 my ($code, $what, $desc) = @_;
120 local $::Level = $::Level + 1;
121 is(eval { $code->(); }, undef, $desc);
122 like($@, qr/^Insecure dependency in $what while running with -T switch/);
125 # We need an external program to call.
126 my $ECHO = ($Is_MSWin32 ? ".\\echo$$" : ($Is_NetWare ? "echo$$" : "./echo$$"));
128 open my $fh, '>', $ECHO or die "Can't create $ECHO: $!";
129 print $fh 'print "@ARGV\n"', "\n";
131 my $echo = "$Invoke_Perl $ECHO";
135 # First, let's make sure that Perl is checking the dangerous
136 # environment variables. Maybe they aren't set yet, so we'll
137 # taint them ourselves.
139 $ENV{'DCL$PATH'} = '' if $Is_VMS;
141 $ENV{PATH} = ($Is_Cygwin) ? '/usr/bin' : '';
142 delete @ENV{@MoreEnv};
145 is(eval { `$echo 1` }, "1\n");
148 skip "Environment tainting tests skipped", 4
149 if $Is_MSWin32 || $Is_NetWare || $Is_VMS || $Is_Dos;
151 my @vars = ('PATH', @MoreEnv);
152 while (my $v = $vars[0]) {
153 local $ENV{$v} = $TAINT;
154 last if eval { `$echo 1` };
155 last unless $@ =~ /^Insecure \$ENV\{$v}/;
160 # tainted $TERM is unsafe only if it contains metachars
162 $ENV{TERM} = 'e=mc2';
163 is(eval { `$echo 1` }, "1\n");
164 $ENV{TERM} = 'e=mc2' . $TAINT;
165 is(eval { `$echo 1` }, undef);
166 like($@, qr/^Insecure \$ENV\{TERM}/);
170 if ($^O eq 'os2' || $^O eq 'amigaos' || $Is_MSWin32 || $Is_NetWare || $Is_Dos) {
171 print "# all directories are writeable\n";
174 $tmp = (grep { defined and -d and (stat _)[2] & 2 }
175 qw(sys$scratch /tmp /var/tmp /usr/tmp),
176 @ENV{qw(TMP TEMP)})[0]
177 or print "# can't find world-writeable directory to test PATH\n";
181 skip "all directories are writeable", 2 unless $tmp;
183 local $ENV{PATH} = $tmp;
184 is(eval { `$echo 1` }, undef);
185 like($@, qr/^Insecure directory in \$ENV\{PATH}/);
189 skip "This is not VMS", 4 unless $Is_VMS;
191 $ENV{'DCL$PATH'} = $TAINT;
192 is(eval { `$echo 1` }, undef);
193 like($@, qr/^Insecure \$ENV\{DCL\$PATH}/);
195 skip q[can't find world-writeable directory to test DCL$PATH], 2
198 $ENV{'DCL$PATH'} = $tmp;
199 is(eval { `$echo 1` }, undef);
200 like($@, qr/^Insecure directory in \$ENV\{DCL\$PATH}/);
202 $ENV{'DCL$PATH'} = '';
206 # Let's see that we can taint and untaint as needed.
211 # That was a sanity check. If it failed, stop the insanity!
212 die "Taint checks don't seem to be enabled" unless tainted $foo;
221 isnt_tainted($_) foreach @list;
222 taint_these @list[1,3,5,7,9];
223 is_tainted($_) foreach @list[1,3,5,7,9];
224 isnt_tainted($_) foreach @list[0,2,4,6,8];
226 ($foo) = $foo =~ /(.+)/;
229 my ($desc, $s, $res, $res2, $one);
231 $desc = "match with string tainted";
233 $s = 'abcd' . $TAINT;
236 is_tainted($s, "$desc: s tainted");
237 isnt_tainted($res, "$desc: res not tainted");
238 isnt_tainted($one, "$desc: \$1 not tainted");
239 is($res, 1, "$desc: res value");
240 is($one, 'abcd', "$desc: \$1 value");
242 $desc = "match /g with string tainted";
244 $s = 'abcd' . $TAINT;
247 is_tainted($s, "$desc: s tainted");
248 isnt_tainted($res, "$desc: res not tainted");
249 isnt_tainted($one, "$desc: \$1 not tainted");
250 is($res, 1, "$desc: res value");
251 is($one, 'a', "$desc: \$1 value");
253 $desc = "match with string tainted, list cxt";
255 $s = 'abcd' . $TAINT;
256 ($res) = $s =~ /(.+)/;
258 is_tainted($s, "$desc: s tainted");
259 isnt_tainted($res, "$desc: res not tainted");
260 isnt_tainted($one, "$desc: \$1 not tainted");
261 is($res, 'abcd', "$desc: res value");
262 is($one, 'abcd', "$desc: \$1 value");
264 $desc = "match /g with string tainted, list cxt";
266 $s = 'abcd' . $TAINT;
267 ($res, $res2) = $s =~ /(.)/g;
269 is_tainted($s, "$desc: s tainted");
270 isnt_tainted($res, "$desc: res not tainted");
271 isnt_tainted($res2,"$desc: res2 not tainted");
272 isnt_tainted($one, "$desc: \$1 not tainted");
273 is($res, 'a', "$desc: res value");
274 is($res2,'b', "$desc: res2 value");
275 is($one, 'd', "$desc: \$1 value");
277 $desc = "match with pattern tainted";
280 $res = $s =~ /$TAINT(.+)/;
282 isnt_tainted($s, "$desc: s not tainted");
283 isnt_tainted($res, "$desc: res not tainted");
284 is_tainted($one, "$desc: \$1 tainted");
285 is($res, 1, "$desc: res value");
286 is($one, 'abcd', "$desc: \$1 value");
288 $desc = "match /g with pattern tainted";
291 $res = $s =~ /$TAINT(.)/g;
293 isnt_tainted($s, "$desc: s not tainted");
294 isnt_tainted($res, "$desc: res not tainted");
295 is_tainted($one, "$desc: \$1 tainted");
296 is($res, 1, "$desc: res value");
297 is($one, 'a', "$desc: \$1 value");
300 skip 'No locale testing without d_setlocale', 10 if(!$Config{d_setlocale});
302 $desc = "match with pattern tainted via locale";
307 if($Config{d_setlocale}) {
308 require locale; import locale;
311 $res = $s =~ /(\w+)/; $one = $1;
313 isnt_tainted($s, "$desc: s not tainted");
314 isnt_tainted($res, "$desc: res not tainted");
315 is_tainted($one, "$desc: \$1 tainted");
316 is($res, 1, "$desc: res value");
317 is($one, 'abcd', "$desc: \$1 value");
319 $desc = "match /g with pattern tainted via locale";
324 if($Config{d_setlocale}) {
325 require locale; import locale;
328 $res = $s =~ /(\w)/g; $one = $1;
330 isnt_tainted($s, "$desc: s not tainted");
331 isnt_tainted($res, "$desc: res not tainted");
332 is_tainted($one, "$desc: \$1 tainted");
333 is($res, 1, "$desc: res value");
334 is($one, 'a', "$desc: \$1 value");
337 $desc = "match with pattern tainted, list cxt";
340 ($res) = $s =~ /$TAINT(.+)/;
342 isnt_tainted($s, "$desc: s not tainted");
343 is_tainted($res, "$desc: res tainted");
344 is_tainted($one, "$desc: \$1 tainted");
345 is($res, 'abcd', "$desc: res value");
346 is($one, 'abcd', "$desc: \$1 value");
348 $desc = "match /g with pattern tainted, list cxt";
351 ($res, $res2) = $s =~ /$TAINT(.)/g;
353 isnt_tainted($s, "$desc: s not tainted");
354 is_tainted($res, "$desc: res tainted");
355 is_tainted($one, "$desc: \$1 tainted");
356 is($res, 'a', "$desc: res value");
357 is($res2,'b', "$desc: res2 value");
358 is($one, 'd', "$desc: \$1 value");
361 skip 'No locale testing without d_setlocale', 12 if(!$Config{d_setlocale});
363 $desc = "match with pattern tainted via locale, list cxt";
368 if($Config{d_setlocale}) {
369 require locale; import locale;
372 ($res) = $s =~ /(\w+)/; $one = $1;
374 isnt_tainted($s, "$desc: s not tainted");
375 is_tainted($res, "$desc: res tainted");
376 is_tainted($one, "$desc: \$1 tainted");
377 is($res, 'abcd', "$desc: res value");
378 is($one, 'abcd', "$desc: \$1 value");
380 $desc = "match /g with pattern tainted via locale, list cxt";
385 if($Config{d_setlocale}) {
386 require locale; import locale;
389 ($res, $res2) = $s =~ /(\w)/g; $one = $1;
391 isnt_tainted($s, "$desc: s not tainted");
392 is_tainted($res, "$desc: res tainted");
393 is_tainted($res2, "$desc: res2 tainted");
394 is_tainted($one, "$desc: \$1 tainted");
395 is($res, 'a', "$desc: res value");
396 is($res2,'b', "$desc: res2 value");
397 is($one, 'd', "$desc: \$1 value");
400 $desc = "substitution with string tainted";
402 $s = 'abcd' . $TAINT;
403 $res = $s =~ s/(.+)/xyz/;
405 is_tainted($s, "$desc: s tainted");
406 isnt_tainted($res, "$desc: res not tainted");
407 isnt_tainted($one, "$desc: \$1 not tainted");
408 is($s, 'xyz', "$desc: s value");
409 is($res, 1, "$desc: res value");
410 is($one, 'abcd', "$desc: \$1 value");
412 $desc = "substitution /g with string tainted";
414 $s = 'abcd' . $TAINT;
415 $res = $s =~ s/(.)/x/g;
417 is_tainted($s, "$desc: s tainted");
418 is_tainted($res, "$desc: res tainted");
419 isnt_tainted($one, "$desc: \$1 not tainted");
420 is($s, 'xxxx', "$desc: s value");
421 is($res, 4, "$desc: res value");
422 is($one, 'd', "$desc: \$1 value");
424 $desc = "substitution /r with string tainted";
426 $s = 'abcd' . $TAINT;
427 $res = $s =~ s/(.+)/xyz/r;
429 is_tainted($s, "$desc: s tainted");
430 is_tainted($res, "$desc: res tainted");
431 isnt_tainted($one, "$desc: \$1 not tainted");
432 is($s, 'abcd', "$desc: s value");
433 is($res, 'xyz', "$desc: res value");
434 is($one, 'abcd', "$desc: \$1 value");
436 $desc = "substitution /e with string tainted";
438 $s = 'abcd' . $TAINT;
440 $res = $s =~ s{(.+)}{
441 $one = $one . "x"; # make sure code not tainted
442 isnt_tainted($one, "$desc: code not tainted within /e");
444 isnt_tainted($one, "$desc: \$1 not tainted within /e");
448 is_tainted($s, "$desc: s tainted");
449 isnt_tainted($res, "$desc: res not tainted");
450 isnt_tainted($one, "$desc: \$1 not tainted");
451 is($s, 'xyz', "$desc: s value");
452 is($res, 1, "$desc: res value");
453 is($one, 'abcd', "$desc: \$1 value");
455 $desc = "substitution with pattern tainted";
458 $res = $s =~ s/$TAINT(.+)/xyz/;
460 is_tainted($s, "$desc: s tainted");
461 isnt_tainted($res, "$desc: res not tainted");
462 is_tainted($one, "$desc: \$1 tainted");
463 is($s, 'xyz', "$desc: s value");
464 is($res, 1, "$desc: res value");
465 is($one, 'abcd', "$desc: \$1 value");
467 $desc = "substitution /g with pattern tainted";
470 $res = $s =~ s/$TAINT(.)/x/g;
472 is_tainted($s, "$desc: s tainted");
473 is_tainted($res, "$desc: res tainted");
474 is_tainted($one, "$desc: \$1 tainted");
475 is($s, 'xxxx', "$desc: s value");
476 is($res, 4, "$desc: res value");
477 is($one, 'd', "$desc: \$1 value");
479 $desc = "substitution /ge with pattern tainted";
485 $res = $s =~ s{(.)$TAINT}{
486 $j = $i; # make sure code not tainted
488 isnt_tainted($j, "$desc: code not tainted within /e");
491 isnt_tainted($s, "$desc: s not tainted loop 1");
494 is_tainted($s, "$desc: s tainted loop $i");
496 is_tainted($one, "$desc: \$1 tainted loop $i");
501 is_tainted($s, "$desc: s tainted");
502 is_tainted($res, "$desc: res tainted");
503 is_tainted($one, "$desc: \$1 tainted");
504 is($s, '123', "$desc: s value");
505 is($res, 3, "$desc: res value");
506 is($one, 'c', "$desc: \$1 value");
508 $desc = "substitution /r with pattern tainted";
511 $res = $s =~ s/$TAINT(.+)/xyz/r;
513 isnt_tainted($s, "$desc: s not tainted");
514 is_tainted($res, "$desc: res tainted");
515 is_tainted($one, "$desc: \$1 tainted");
516 is($s, 'abcd', "$desc: s value");
517 is($res, 'xyz', "$desc: res value");
518 is($one, 'abcd', "$desc: \$1 value");
521 skip 'No locale testing without d_setlocale', 18 if(!$Config{d_setlocale});
523 $desc = "substitution with pattern tainted via locale";
528 if($Config{d_setlocale}) {
529 require locale; import locale;
532 $res = $s =~ s/(\w+)/xyz/; $one = $1;
534 is_tainted($s, "$desc: s tainted");
535 isnt_tainted($res, "$desc: res not tainted");
536 is_tainted($one, "$desc: \$1 tainted");
537 is($s, 'xyz', "$desc: s value");
538 is($res, 1, "$desc: res value");
539 is($one, 'abcd', "$desc: \$1 value");
541 $desc = "substitution /g with pattern tainted via locale";
546 if($Config{d_setlocale}) {
547 require locale; import locale;
550 $res = $s =~ s/(\w)/x/g; $one = $1;
552 is_tainted($s, "$desc: s tainted");
553 is_tainted($res, "$desc: res tainted");
554 is_tainted($one, "$desc: \$1 tainted");
555 is($s, 'xxxx', "$desc: s value");
556 is($res, 4, "$desc: res value");
557 is($one, 'd', "$desc: \$1 value");
559 $desc = "substitution /r with pattern tainted via locale";
564 if($Config{d_setlocale}) {
565 require locale; import locale;
568 $res = $s =~ s/(\w+)/xyz/r; $one = $1;
570 isnt_tainted($s, "$desc: s not tainted");
571 is_tainted($res, "$desc: res tainted");
572 is_tainted($one, "$desc: \$1 tainted");
573 is($s, 'abcd', "$desc: s value");
574 is($res, 'xyz', "$desc: res value");
575 is($one, 'abcd', "$desc: \$1 value");
578 $desc = "substitution with replacement tainted";
581 $res = $s =~ s/(.+)/xyz$TAINT/;
583 is_tainted($s, "$desc: s tainted");
584 isnt_tainted($res, "$desc: res not tainted");
585 isnt_tainted($one, "$desc: \$1 not tainted");
586 is($s, 'xyz', "$desc: s value");
587 is($res, 1, "$desc: res value");
588 is($one, 'abcd', "$desc: \$1 value");
590 $desc = "substitution /g with replacement tainted";
593 $res = $s =~ s/(.)/x$TAINT/g;
595 is_tainted($s, "$desc: s tainted");
596 isnt_tainted($res, "$desc: res not tainted");
597 isnt_tainted($one, "$desc: \$1 not tainted");
598 is($s, 'xxxx', "$desc: s value");
599 is($res, 4, "$desc: res value");
600 is($one, 'd', "$desc: \$1 value");
602 $desc = "substitution /ge with replacement tainted";
609 $j = $i; # make sure code not tainted
611 isnt_tainted($j, "$desc: code not tainted within /e");
614 isnt_tainted($s, "$desc: s not tainted loop 1");
617 is_tainted($s, "$desc: s tainted loop $i");
619 isnt_tainted($one, "$desc: \$1 not tainted within /e");
624 is_tainted($s, "$desc: s tainted");
625 isnt_tainted($res, "$desc: res tainted");
626 isnt_tainted($one, "$desc: \$1 not tainted");
627 is($s, '123', "$desc: s value");
628 is($res, 3, "$desc: res value");
629 is($one, 'c', "$desc: \$1 value");
631 $desc = "substitution /r with replacement tainted";
634 $res = $s =~ s/(.+)/xyz$TAINT/r;
636 isnt_tainted($s, "$desc: s not tainted");
637 is_tainted($res, "$desc: res tainted");
638 isnt_tainted($one, "$desc: \$1 not tainted");
639 is($s, 'abcd', "$desc: s value");
640 is($res, 'xyz', "$desc: res value");
641 is($one, 'abcd', "$desc: \$1 value");
644 # now do them all again with "use re 'taint"
648 $desc = "use re 'taint': match with string tainted";
650 $s = 'abcd' . $TAINT;
653 is_tainted($s, "$desc: s tainted");
654 isnt_tainted($res, "$desc: res not tainted");
655 is_tainted($one, "$desc: \$1 tainted");
656 is($res, 1, "$desc: res value");
657 is($one, 'abcd', "$desc: \$1 value");
659 $desc = "use re 'taint': match /g with string tainted";
661 $s = 'abcd' . $TAINT;
664 is_tainted($s, "$desc: s tainted");
665 isnt_tainted($res, "$desc: res not tainted");
666 is_tainted($one, "$desc: \$1 tainted");
667 is($res, 1, "$desc: res value");
668 is($one, 'a', "$desc: \$1 value");
670 $desc = "use re 'taint': match with string tainted, list cxt";
672 $s = 'abcd' . $TAINT;
673 ($res) = $s =~ /(.+)/;
675 is_tainted($s, "$desc: s tainted");
676 is_tainted($res, "$desc: res tainted");
677 is_tainted($one, "$desc: \$1 tainted");
678 is($res, 'abcd', "$desc: res value");
679 is($one, 'abcd', "$desc: \$1 value");
681 $desc = "use re 'taint': match /g with string tainted, list cxt";
683 $s = 'abcd' . $TAINT;
684 ($res, $res2) = $s =~ /(.)/g;
686 is_tainted($s, "$desc: s tainted");
687 is_tainted($res, "$desc: res tainted");
688 is_tainted($res2, "$desc: res2 tainted");
689 is_tainted($one, "$desc: \$1 not tainted");
690 is($res, 'a', "$desc: res value");
691 is($res2,'b', "$desc: res2 value");
692 is($one, 'd', "$desc: \$1 value");
694 $desc = "use re 'taint': match with pattern tainted";
697 $res = $s =~ /$TAINT(.+)/;
699 isnt_tainted($s, "$desc: s not tainted");
700 isnt_tainted($res, "$desc: res not tainted");
701 is_tainted($one, "$desc: \$1 tainted");
702 is($res, 1, "$desc: res value");
703 is($one, 'abcd', "$desc: \$1 value");
705 $desc = "use re 'taint': match /g with pattern tainted";
708 $res = $s =~ /$TAINT(.)/g;
710 isnt_tainted($s, "$desc: s not tainted");
711 isnt_tainted($res, "$desc: res not tainted");
712 is_tainted($one, "$desc: \$1 tainted");
713 is($res, 1, "$desc: res value");
714 is($one, 'a', "$desc: \$1 value");
717 skip 'No locale testing without d_setlocale', 10 if(!$Config{d_setlocale});
719 $desc = "use re 'taint': match with pattern tainted via locale";
724 if($Config{d_setlocale}) {
725 require locale; import locale;
728 $res = $s =~ /(\w+)/; $one = $1;
730 isnt_tainted($s, "$desc: s not tainted");
731 isnt_tainted($res, "$desc: res not tainted");
732 is_tainted($one, "$desc: \$1 tainted");
733 is($res, 1, "$desc: res value");
734 is($one, 'abcd', "$desc: \$1 value");
736 $desc = "use re 'taint': match /g with pattern tainted via locale";
741 if($Config{d_setlocale}) {
742 require locale; import locale;
745 $res = $s =~ /(\w)/g; $one = $1;
747 isnt_tainted($s, "$desc: s not tainted");
748 isnt_tainted($res, "$desc: res not tainted");
749 is_tainted($one, "$desc: \$1 tainted");
750 is($res, 1, "$desc: res value");
751 is($one, 'a', "$desc: \$1 value");
754 $desc = "use re 'taint': match with pattern tainted, list cxt";
757 ($res) = $s =~ /$TAINT(.+)/;
759 isnt_tainted($s, "$desc: s not tainted");
760 is_tainted($res, "$desc: res tainted");
761 is_tainted($one, "$desc: \$1 tainted");
762 is($res, 'abcd', "$desc: res value");
763 is($one, 'abcd', "$desc: \$1 value");
765 $desc = "use re 'taint': match /g with pattern tainted, list cxt";
768 ($res, $res2) = $s =~ /$TAINT(.)/g;
770 isnt_tainted($s, "$desc: s not tainted");
771 is_tainted($res, "$desc: res tainted");
772 is_tainted($one, "$desc: \$1 tainted");
773 is($res, 'a', "$desc: res value");
774 is($res2,'b', "$desc: res2 value");
775 is($one, 'd', "$desc: \$1 value");
778 skip 'No locale testing without d_setlocale', 12 if(!$Config{d_setlocale});
780 $desc = "use re 'taint': match with pattern tainted via locale, list cxt";
785 if($Config{d_setlocale}) {
786 require locale; import locale;
789 ($res) = $s =~ /(\w+)/; $one = $1;
791 isnt_tainted($s, "$desc: s not tainted");
792 is_tainted($res, "$desc: res tainted");
793 is_tainted($one, "$desc: \$1 tainted");
794 is($res, 'abcd', "$desc: res value");
795 is($one, 'abcd', "$desc: \$1 value");
797 $desc = "use re 'taint': match /g with pattern tainted via locale, list cxt";
802 if($Config{d_setlocale}) {
803 require locale; import locale;
806 ($res, $res2) = $s =~ /(\w)/g; $one = $1;
808 isnt_tainted($s, "$desc: s not tainted");
809 is_tainted($res, "$desc: res tainted");
810 is_tainted($res2, "$desc: res2 tainted");
811 is_tainted($one, "$desc: \$1 tainted");
812 is($res, 'a', "$desc: res value");
813 is($res2,'b', "$desc: res2 value");
814 is($one, 'd', "$desc: \$1 value");
817 $desc = "use re 'taint': substitution with string tainted";
819 $s = 'abcd' . $TAINT;
820 $res = $s =~ s/(.+)/xyz/;
822 is_tainted($s, "$desc: s tainted");
823 isnt_tainted($res, "$desc: res not tainted");
824 is_tainted($one, "$desc: \$1 tainted");
825 is($s, 'xyz', "$desc: s value");
826 is($res, 1, "$desc: res value");
827 is($one, 'abcd', "$desc: \$1 value");
829 $desc = "use re 'taint': substitution /g with string tainted";
831 $s = 'abcd' . $TAINT;
832 $res = $s =~ s/(.)/x/g;
834 is_tainted($s, "$desc: s tainted");
835 is_tainted($res, "$desc: res tainted");
836 is_tainted($one, "$desc: \$1 tainted");
837 is($s, 'xxxx', "$desc: s value");
838 is($res, 4, "$desc: res value");
839 is($one, 'd', "$desc: \$1 value");
841 $desc = "use re 'taint': substitution /r with string tainted";
843 $s = 'abcd' . $TAINT;
844 $res = $s =~ s/(.+)/xyz/r;
846 is_tainted($s, "$desc: s tainted");
847 is_tainted($res, "$desc: res tainted");
848 is_tainted($one, "$desc: \$1 tainted");
849 is($s, 'abcd', "$desc: s value");
850 is($res, 'xyz', "$desc: res value");
851 is($one, 'abcd', "$desc: \$1 value");
853 $desc = "use re 'taint': substitution /e with string tainted";
855 $s = 'abcd' . $TAINT;
857 $res = $s =~ s{(.+)}{
858 $one = $one . "x"; # make sure code not tainted
859 isnt_tainted($one, "$desc: code not tainted within /e");
861 is_tainted($one, "$desc: $1 tainted within /e");
865 is_tainted($s, "$desc: s tainted");
866 isnt_tainted($res, "$desc: res not tainted");
867 is_tainted($one, "$desc: \$1 tainted");
868 is($s, 'xyz', "$desc: s value");
869 is($res, 1, "$desc: res value");
870 is($one, 'abcd', "$desc: \$1 value");
872 $desc = "use re 'taint': substitution with pattern tainted";
875 $res = $s =~ s/$TAINT(.+)/xyz/;
877 is_tainted($s, "$desc: s tainted");
878 isnt_tainted($res, "$desc: res not tainted");
879 is_tainted($one, "$desc: \$1 tainted");
880 is($s, 'xyz', "$desc: s value");
881 is($res, 1, "$desc: res value");
882 is($one, 'abcd', "$desc: \$1 value");
884 $desc = "use re 'taint': substitution /g with pattern tainted";
887 $res = $s =~ s/$TAINT(.)/x/g;
889 is_tainted($s, "$desc: s tainted");
890 is_tainted($res, "$desc: res tainted");
891 is_tainted($one, "$desc: \$1 tainted");
892 is($s, 'xxxx', "$desc: s value");
893 is($res, 4, "$desc: res value");
894 is($one, 'd', "$desc: \$1 value");
896 $desc = "use re 'taint': substitution /ge with pattern tainted";
902 $res = $s =~ s{(.)$TAINT}{
903 $j = $i; # make sure code not tainted
905 isnt_tainted($j, "$desc: code not tainted within /e");
908 isnt_tainted($s, "$desc: s not tainted loop 1");
911 is_tainted($s, "$desc: s tainted loop $i");
913 is_tainted($one, "$desc: \$1 tainted loop $i");
918 is_tainted($s, "$desc: s tainted");
919 is_tainted($res, "$desc: res tainted");
920 is_tainted($one, "$desc: \$1 tainted");
921 is($s, '123', "$desc: s value");
922 is($res, 3, "$desc: res value");
923 is($one, 'c', "$desc: \$1 value");
926 $desc = "use re 'taint': substitution /r with pattern tainted";
929 $res = $s =~ s/$TAINT(.+)/xyz/r;
931 isnt_tainted($s, "$desc: s not tainted");
932 is_tainted($res, "$desc: res tainted");
933 is_tainted($one, "$desc: \$1 tainted");
934 is($s, 'abcd', "$desc: s value");
935 is($res, 'xyz', "$desc: res value");
936 is($one, 'abcd', "$desc: \$1 value");
939 skip 'No locale testing without d_setlocale', 18 if(!$Config{d_setlocale});
941 $desc = "use re 'taint': substitution with pattern tainted via locale";
946 if($Config{d_setlocale}) {
947 require locale; import locale;
950 $res = $s =~ s/(\w+)/xyz/; $one = $1;
952 is_tainted($s, "$desc: s tainted");
953 isnt_tainted($res, "$desc: res not tainted");
954 is_tainted($one, "$desc: \$1 tainted");
955 is($s, 'xyz', "$desc: s value");
956 is($res, 1, "$desc: res value");
957 is($one, 'abcd', "$desc: \$1 value");
959 $desc = "use re 'taint': substitution /g with pattern tainted via locale";
964 if($Config{d_setlocale}) {
965 require locale; import locale;
968 $res = $s =~ s/(\w)/x/g; $one = $1;
970 is_tainted($s, "$desc: s tainted");
971 is_tainted($res, "$desc: res tainted");
972 is_tainted($one, "$desc: \$1 tainted");
973 is($s, 'xxxx', "$desc: s value");
974 is($res, 4, "$desc: res value");
975 is($one, 'd', "$desc: \$1 value");
977 $desc = "use re 'taint': substitution /r with pattern tainted via locale";
982 if($Config{d_setlocale}) {
983 require locale; import locale;
986 $res = $s =~ s/(\w+)/xyz/r; $one = $1;
988 isnt_tainted($s, "$desc: s not tainted");
989 is_tainted($res, "$desc: res tainted");
990 is_tainted($one, "$desc: \$1 tainted");
991 is($s, 'abcd', "$desc: s value");
992 is($res, 'xyz', "$desc: res value");
993 is($one, 'abcd', "$desc: \$1 value");
996 $desc = "use re 'taint': substitution with replacement tainted";
999 $res = $s =~ s/(.+)/xyz$TAINT/;
1001 is_tainted($s, "$desc: s tainted");
1002 isnt_tainted($res, "$desc: res not tainted");
1003 isnt_tainted($one, "$desc: \$1 not tainted");
1004 is($s, 'xyz', "$desc: s value");
1005 is($res, 1, "$desc: res value");
1006 is($one, 'abcd', "$desc: \$1 value");
1008 $desc = "use re 'taint': substitution /g with replacement tainted";
1011 $res = $s =~ s/(.)/x$TAINT/g;
1013 is_tainted($s, "$desc: s tainted");
1014 isnt_tainted($res, "$desc: res not tainted");
1015 isnt_tainted($one, "$desc: \$1 not tainted");
1016 is($s, 'xxxx', "$desc: s value");
1017 is($res, 4, "$desc: res value");
1018 is($one, 'd', "$desc: \$1 value");
1020 $desc = "use re 'taint': substitution /ge with replacement tainted";
1026 $res = $s =~ s{(.)}{
1027 $j = $i; # make sure code not tainted
1029 isnt_tainted($j, "$desc: code not tainted within /e");
1032 isnt_tainted($s, "$desc: s not tainted loop 1");
1035 is_tainted($s, "$desc: s tainted loop $i");
1037 isnt_tainted($one, "$desc: \$1 not tainted");
1042 is_tainted($s, "$desc: s tainted");
1043 isnt_tainted($res, "$desc: res tainted");
1044 isnt_tainted($one, "$desc: \$1 not tainted");
1045 is($s, '123', "$desc: s value");
1046 is($res, 3, "$desc: res value");
1047 is($one, 'c', "$desc: \$1 value");
1049 $desc = "use re 'taint': substitution /r with replacement tainted";
1052 $res = $s =~ s/(.+)/xyz$TAINT/r;
1054 isnt_tainted($s, "$desc: s not tainted");
1055 is_tainted($res, "$desc: res tainted");
1056 isnt_tainted($one, "$desc: \$1 not tainted");
1057 is($s, 'abcd', "$desc: s value");
1058 is($res, 'xyz', "$desc: res value");
1059 is($one, 'abcd', "$desc: \$1 value");
1061 # [perl #121854] match taintedness became sticky
1062 # when one match has a taintess result, subseqent matches
1063 # using the same pattern shouldn't necessarily be tainted
1066 my $f = sub { $_[0] =~ /(.*)/ or die; $1 };
1067 $res = $f->($TAINT);
1068 is_tainted($res, "121854: res tainted");
1070 isnt_tainted($res, "121854: res not tainted");
1074 $foo = $1 if 'bar' =~ /(.+)$TAINT/;
1078 my $pi = 4 * atan2(1,1) + $TAINT0;
1081 ($pi) = $pi =~ /(\d+\.\d+)/;
1083 is(sprintf("%.5f", $pi), '3.14159');
1086 # How about command-line arguments? The problem is that we don't
1087 # always get some, so we'll run another process with some.
1089 my $arg = tempfile();
1090 open $fh, '>', $arg or die "Can't create $arg: $!";
1092 eval { join('', @ARGV), kill 0 };
1093 exit 0 if $@ =~ /^Insecure dependency/;
1094 print "# Oops: \$@ was [$@]\n";
1097 close $fh or die "Can't close $arg: $!";
1098 print `$Invoke_Perl "-T" $arg and some suspect arguments`;
1099 is($?, 0, "Exited with status $?");
1103 # Reading from a file should be tainted
1105 ok(open my $fh, '<', $TEST) or diag("Couldn't open '$TEST': $!");
1108 sysread($fh, $block, 100);
1115 # Output of commands should be tainted
1117 my $foo = `$echo abc`;
1121 # Certain system variables should be tainted
1127 # Results of matching should all be untainted
1129 my $foo = "abcdefghi" . $TAINT;
1137 $foo =~ /(...)(...)(...)/;
1143 my @bar = $foo =~ /(...)(...)(...)/;
1144 isnt_tainted($_) foreach @bar;
1146 is_tainted($foo); # $foo should still be tainted!
1147 is($foo, "abcdefghi");
1150 # Operations which affect files can't use tainted data.
1152 violates_taint(sub { chmod 0, $TAINT }, 'chmod');
1155 skip "truncate() is not available", 2 unless $Config{d_truncate};
1157 violates_taint(sub { truncate 'NoSuChFiLe', $TAINT0 }, 'truncate');
1160 violates_taint(sub { rename '', $TAINT }, 'rename');
1161 violates_taint(sub { unlink $TAINT }, 'unlink');
1162 violates_taint(sub { utime $TAINT }, 'utime');
1165 skip "chown() is not available", 2 unless $Config{d_chown};
1167 violates_taint(sub { chown -1, -1, $TAINT }, 'chown');
1171 skip "link() is not available", 2 unless $Config{d_link};
1173 violates_taint(sub { link $TAINT, '' }, 'link');
1177 skip "symlink() is not available", 2 unless $Config{d_symlink};
1179 violates_taint(sub { symlink $TAINT, '' }, 'symlink');
1183 # Operations which affect directories can't use tainted data.
1185 violates_taint(sub { mkdir "foo".$TAINT, 0755 . $TAINT0 }, 'mkdir');
1186 violates_taint(sub { rmdir $TAINT }, 'rmdir');
1187 violates_taint(sub { chdir "foo".$TAINT }, 'chdir');
1190 skip "chroot() is not available", 2 unless $Config{d_chroot};
1192 violates_taint(sub { chroot $TAINT }, 'chroot');
1196 # Some operations using files can't use tainted data.
1198 my $foo = "imaginary library" . $TAINT;
1199 violates_taint(sub { require $foo }, 'require');
1201 my $filename = tempfile(); # NB: $filename isn't tainted!
1202 $foo = $filename . $TAINT;
1203 unlink $filename; # in any case
1205 is(eval { open FOO, $foo }, undef, 'open for read');
1206 is($@, ''); # NB: This should be allowed
1207 is(eval { open my $fh, , '<', $foo }, undef, 'open for read');
1208 is($@, ''); # NB: This should be allowed
1210 # Try first new style but allow also old style.
1211 # We do not want the whole taint.t to fail
1212 # just because Errno possibly failing.
1213 ok(eval('$!{ENOENT}') ||
1214 $! == 2 || # File not found
1215 ($Is_Dos && $! == 22));
1217 violates_taint(sub { open FOO, "> $foo" }, 'open', 'open for write');
1218 violates_taint(sub { open my $fh, '>', $foo }, 'open', 'open for write');
1221 # Commands to the system can't use tainted data
1226 skip "open('|') is not available", 8 if $^O eq 'amigaos';
1228 violates_taint(sub { open FOO, "| x$foo" }, 'piped open', 'popen to');
1229 violates_taint(sub { open FOO, "x$foo |" }, 'piped open', 'popen from');
1230 violates_taint(sub { open my $fh, '|-', "x$foo" }, 'piped open', 'popen to');
1231 violates_taint(sub { open my $fh, '-|', "x$foo" }, 'piped open', 'popen from');
1234 violates_taint(sub { exec $TAINT }, 'exec');
1235 violates_taint(sub { system $TAINT }, 'system');
1240 violates_taint(sub { `$echo 1$foo` }, '``', 'backticks');
1243 # wildcard expansion doesn't invoke shell on VMS, so is safe
1244 skip "This is not VMS", 2 unless $Is_VMS;
1246 isnt(join('', eval { glob $foo } ), '', 'globbing');
1251 # Operations which affect processes can't use tainted data.
1253 violates_taint(sub { kill 0, $TAINT }, 'kill');
1256 skip "setpgrp() is not available", 2 unless $Config{d_setpgrp};
1258 violates_taint(sub { setpgrp 0, $TAINT0 }, 'setpgrp');
1262 skip "setpriority() is not available", 2 unless $Config{d_setprior};
1264 violates_taint(sub { setpriority 0, $TAINT0, $TAINT0 }, 'setpriority');
1268 # Some miscellaneous operations can't use tainted data.
1271 skip "syscall() is not available", 2 unless $Config{d_syscall};
1273 violates_taint(sub { syscall $TAINT }, 'syscall');
1277 my $foo = "x" x 979;
1280 my $temp = tempfile();
1281 ok(open FOO, "> $temp") or diag("Couldn't open $temp for write: $!");
1282 violates_taint(sub { ioctl FOO, $TAINT0, $foo }, 'ioctl');
1284 my $temp2 = tempfile();
1285 ok(open my $fh, '>', $temp2) or diag("Couldn't open $temp2 for write: $!");
1286 violates_taint(sub { ioctl $fh, $TAINT0, $foo }, 'ioctl');
1289 skip "fcntl() is not available", 4 unless $Config{d_fcntl};
1291 violates_taint(sub { fcntl FOO, $TAINT0, $foo }, 'fcntl');
1292 violates_taint(sub { fcntl $fh, $TAINT0, $foo }, 'fcntl');
1299 # Some tests involving references
1301 my $foo = 'abc' . $TAINT;
1303 isnt_tainted($fooref);
1304 is_tainted($$fooref);
1308 # Some tests involving assignment
1314 is_tainted($foo = $bar);
1315 is_tainted($bar = $bar);
1316 is_tainted($bar += $bar);
1317 is_tainted($bar -= $bar);
1318 is_tainted($bar *= $bar);
1320 is_tainted($bar /= $bar);
1321 is_tainted($bar += 0);
1322 is_tainted($bar -= 2);
1323 is_tainted($bar *= -1);
1324 is_tainted($bar /= 1);
1329 # Test assignment and return of lists
1331 my @foo = ("A", "tainted" . $TAINT, "B");
1332 isnt_tainted($foo[0]);
1333 is_tainted( $foo[1]);
1334 isnt_tainted($foo[2]);
1336 isnt_tainted($bar[0]);
1337 is_tainted( $bar[1]);
1338 isnt_tainted($bar[2]);
1339 my @baz = eval { "A", "tainted" . $TAINT, "B" };
1340 isnt_tainted($baz[0]);
1341 is_tainted( $baz[1]);
1342 isnt_tainted($baz[2]);
1343 my @plugh = eval q[ "A", "tainted" . $TAINT, "B" ];
1344 isnt_tainted($plugh[0]);
1345 is_tainted( $plugh[1]);
1346 isnt_tainted($plugh[2]);
1347 my $nautilus = sub { "A", "tainted" . $TAINT, "B" };
1348 isnt_tainted(((&$nautilus)[0]));
1349 is_tainted( ((&$nautilus)[1]));
1350 isnt_tainted(((&$nautilus)[2]));
1351 my @xyzzy = &$nautilus;
1352 isnt_tainted($xyzzy[0]);
1353 is_tainted( $xyzzy[1]);
1354 isnt_tainted($xyzzy[2]);
1355 my $red_october = sub { return "A", "tainted" . $TAINT, "B" };
1356 isnt_tainted(((&$red_october)[0]));
1357 is_tainted( ((&$red_october)[1]));
1358 isnt_tainted(((&$red_october)[2]));
1359 my @corge = &$red_october;
1360 isnt_tainted($corge[0]);
1361 is_tainted( $corge[1]);
1362 isnt_tainted($corge[2]);
1365 # Test for system/library calls returning string data of dubious origin.
1367 # No reliable %Config check for getpw*
1369 skip "getpwent() is not available", 9 unless
1370 eval { setpwent(); getpwent() };
1373 my @getpwent = getpwent();
1374 die "getpwent: $!\n" unless (@getpwent);
1375 isnt_tainted($getpwent[0]);
1376 is_tainted($getpwent[1]);
1377 isnt_tainted($getpwent[2]);
1378 isnt_tainted($getpwent[3]);
1379 isnt_tainted($getpwent[4]);
1380 isnt_tainted($getpwent[5]);
1381 is_tainted($getpwent[6], 'ge?cos');
1382 isnt_tainted($getpwent[7]);
1383 is_tainted($getpwent[8], 'shell');
1388 # pretty hard to imagine not
1389 skip "readdir() is not available", 1 unless $Config{d_readdir};
1391 opendir my $dh, "op" or die "opendir: $!\n";
1392 my $readdir = readdir $dh;
1393 is_tainted($readdir);
1398 skip "readlink() or symlink() is not available" unless
1399 $Config{d_readlink} && $Config{d_symlink};
1401 my $symlink = "sl$$";
1403 my $sl = "/something/naughty";
1404 # it has to be a real path on Mac OS
1405 symlink($sl, $symlink) or die "symlink: $!\n";
1406 my $readlink = readlink($symlink);
1407 is_tainted($readlink);
1412 # test bitwise ops (regression bug)
1422 # test target of substitution (regression bug)
1424 my $why = $TAINT."y";
1432 $why =~ s/e/'-'.$$/ge;
1438 skip "no IPC::SysV", 2 unless $ipcsysv;
1442 skip "shm*() not available", 1 unless $Config{d_shm};
1445 my $sent = "foobar";
1450 local $SIG{SYS} = sub { die "SIGSYS caught\n" };
1451 $id = shmget(IPC_PRIVATE, $size, S_IRWXU);
1453 } or do { chomp(my $msg = $@); skip "shmget: $msg", 1; };
1456 if (shmwrite($id, $sent, 0, 60)) {
1457 if (shmread($id, $rcvd, 0, 60)) {
1458 substr($rcvd, index($rcvd, "\0")) = '';
1460 warn "# shmread failed: $!\n";
1463 warn "# shmwrite failed: $!\n";
1465 shmctl($id, IPC_RMID, 0) or warn "# shmctl failed: $!\n";
1467 warn "# shmget failed: $!\n";
1470 skip "SysV shared memory operation failed", 1 unless
1473 is_tainted($rcvd, "shmread");
1479 skip "msg*() not available", 1 unless $Config{d_msg};
1484 local $SIG{SYS} = sub { die "SIGSYS caught\n" };
1485 $id = msgget(IPC_PRIVATE, IPC_CREAT | S_IRWXU);
1487 } or do { chomp(my $msg = $@); skip "msgget: $msg", 1; };
1489 my $sent = "message";
1490 my $type_sent = 1234;
1495 if (msgsnd($id, pack("l! a*", $type_sent, $sent), IPC_NOWAIT)) {
1496 if (msgrcv($id, $rcvd, 60, 0, IPC_NOWAIT)) {
1497 ($type_rcvd, $rcvd) = unpack("l! a*", $rcvd);
1499 warn "# msgrcv failed: $!\n";
1502 warn "# msgsnd failed: $!\n";
1504 msgctl($id, IPC_RMID, 0) or warn "# msgctl failed: $!\n";
1506 warn "# msgget failed\n";
1510 skip "SysV message queue operation failed", 1
1511 unless $rcvd eq $sent && $type_sent == $type_rcvd;
1513 is_tainted($rcvd, "msgrcv");
1519 # bug id 20001004.006
1521 open my $fh, '<', $TEST or warn "$0: cannot read $TEST: $!" ;
1532 # bug id 20001004.007
1534 open my $fh, '<', $TEST or warn "$0: cannot read $TEST: $!" ;
1540 isnt_tainted($c->{a});
1541 is_tainted($c->{b});
1546 is_tainted($d->{a});
1547 isnt_tainted($d->{b});
1551 b => { c => $a, d => 42 } };
1552 isnt_tainted($e->{a});
1553 isnt_tainted($e->{b});
1554 is_tainted($e->{b}->{c});
1555 isnt_tainted($e->{b}->{d});
1559 # bug id 20010519.003
1562 use vars qw($has_fcntl);
1563 eval { require Fcntl; import Fcntl; };
1570 skip "no Fcntl", 18 unless $has_fcntl;
1572 my $foo = tempfile();
1573 my $evil = $foo . $TAINT;
1575 is(eval { sysopen(my $ro, $evil, &O_RDONLY) }, undef);
1578 violates_taint(sub { sysopen(my $wo, $evil, &O_WRONLY) }, 'sysopen');
1579 violates_taint(sub { sysopen(my $rw, $evil, &O_RDWR) }, 'sysopen');
1580 violates_taint(sub { sysopen(my $ap, $evil, &O_APPEND) }, 'sysopen');
1581 violates_taint(sub { sysopen(my $cr, $evil, &O_CREAT) }, 'sysopen');
1582 violates_taint(sub { sysopen(my $tr, $evil, &O_TRUNC) }, 'sysopen');
1584 is(eval { sysopen(my $ro, $foo, &O_RDONLY | $TAINT0) }, undef);
1587 violates_taint(sub { sysopen(my $wo, $foo, &O_WRONLY | $TAINT0) }, 'sysopen');
1588 violates_taint(sub { sysopen(my $rw, $foo, &O_RDWR | $TAINT0) }, 'sysopen');
1589 violates_taint(sub { sysopen(my $ap, $foo, &O_APPEND | $TAINT0) }, 'sysopen');
1590 violates_taint(sub { sysopen(my $cr, $foo, &O_CREAT | $TAINT0) }, 'sysopen');
1591 violates_taint(sub { sysopen(my $tr, $foo, &O_TRUNC | $TAINT0) }, 'sysopen');
1592 is(eval { sysopen(my $ro, $foo, &O_RDONLY, $TAINT0) }, undef);
1595 violates_taint(sub { sysopen(my $wo, $foo, &O_WRONLY, $TAINT0) }, 'sysopen');
1596 violates_taint(sub { sysopen(my $rw, $foo, &O_RDWR, $TAINT0) }, 'sysopen');
1597 violates_taint(sub { sysopen(my $ap, $foo, &O_APPEND, $TAINT0) }, 'sysopen');
1598 violates_taint(sub { sysopen(my $cr, $foo, &O_CREAT, $TAINT0) }, 'sysopen');
1599 violates_taint(sub { sysopen(my $tr, $foo, &O_TRUNC, $TAINT0) }, 'sysopen');
1608 my $saw_warning = 0;
1609 local $SIG{__WARN__} = sub { ++$saw_warning };
1612 my $divnum = shift()/1;
1613 sprintf("%1.1f\n", $divnum);
1620 is($saw_warning, 0);
1625 # Bug ID 20010730.010
1629 sub Tie::TIESCALAR {
1633 bless \$arg => $class;
1644 my $bar = "The Big Bright Green Pleasure Machine";
1646 tie my ($foo), Tie => $bar;
1654 # Check that all environment variables are tainted.
1656 while (my ($k, $v) = each %ENV) {
1658 # These we have explicitly untainted or set earlier.
1659 $k !~ /^(BASH_ENV|CDPATH|ENV|IFS|PATH|PERL_CORE|TEMP|TERM|TMP)$/) {
1660 push @untainted, "# '$k' = '$v'\n";
1663 is("@untainted", "");
1667 is(${^TAINT}, 1, '$^TAINT is on');
1669 eval { ${^TAINT} = 0 };
1670 is(${^TAINT}, 1, '$^TAINT is not assignable');
1671 like($@, qr/^Modification of a read-only value attempted/,
1672 'Assigning to ${^TAINT} fails');
1677 my $re1 = qr/x$TAINT/;
1680 my $re2 = qr/^$re1\z/;
1688 skip "system {} has different semantics on Win32", 1 if $Is_MSWin32;
1691 local $ENV{PATH} .= $TAINT;
1692 eval { system { "echo" } "/arg0", "arg1" };
1693 like($@, qr/^Insecure \$ENV/);
1697 todo_skip 'tainted %ENV warning occludes tainted arguments warning', 22
1700 # bug 20020208.005 plus some single arg exec/system extras
1701 violates_taint(sub { exec $TAINT, $TAINT }, 'exec');
1702 violates_taint(sub { exec $TAINT $TAINT }, 'exec');
1703 violates_taint(sub { exec $TAINT $TAINT, $TAINT }, 'exec');
1704 violates_taint(sub { exec $TAINT 'notaint' }, 'exec');
1705 violates_taint(sub { exec {'notaint'} $TAINT }, 'exec');
1707 violates_taint(sub { system $TAINT, $TAINT }, 'system');
1708 violates_taint(sub { system $TAINT $TAINT }, 'system');
1709 violates_taint(sub { system $TAINT $TAINT, $TAINT }, 'system');
1710 violates_taint(sub { system $TAINT 'notaint' }, 'system');
1711 violates_taint(sub { system {'notaint'} $TAINT }, 'system');
1715 system("lskdfj does not exist","with","args");
1721 exec("lskdfj does not exist","with","args");
1725 # If you add tests here update also the above skip block for VMS.
1729 # [ID 20020704.001] taint propagation failure
1732 is_tainted(my $foo = $1);
1736 # [perl #24291] this used to dump core
1737 our %nonmagicalenv = ( PATH => "util" );
1738 local *ENV = \%nonmagicalenv;
1739 eval { system("lskdfj"); };
1740 like($@, qr/^%ENV is aliased to another variable while running with -T switch/);
1741 local *ENV = *nonmagicalenv;
1742 eval { system("lskdfj"); };
1743 like($@, qr/^%ENV is aliased to %nonmagicalenv while running with -T switch/);
1750 isnt_tainted($notaint);
1753 $notaint =~ /($notaint)/;
1757 $notaint =~ /($TAINT)/;
1762 $TAINT =~ /($notaint)/;
1766 $TAINT =~ /($TAINT)/;
1772 ($r = $TAINT) =~ /($notaint)/;
1774 ($r = $TAINT) =~ /($TAINT)/;
1778 use re 'eval'; # this shouldn't make any difference
1779 ($r = $TAINT) =~ /($notaint)/;
1781 ($r = $TAINT) =~ /($TAINT)/;
1786 # accessing $^O shoudn't taint it as a side-effect;
1787 # assigning tainted data to it is now an error
1790 if (!$^X) { } elsif ($^O eq 'bar') { }
1792 local $^O; # We're going to clobber something test infrastructure depends on.
1794 like($@, qr/Insecure dependency in/);
1797 EFFECTIVELY_CONSTANTS: {
1798 my $tainted_number = 12 + $TAINT0;
1799 is_tainted( $tainted_number );
1801 # Even though it's always 0, it's still tainted
1802 my $tainted_product = $tainted_number * 0;
1803 is_tainted( $tainted_product );
1804 is($tainted_product, 0);
1807 TERNARY_CONDITIONALS: {
1808 my $tainted_true = $TAINT . "blah blah blah";
1809 my $tainted_false = $TAINT0;
1810 is_tainted( $tainted_true );
1811 is_tainted( $tainted_false );
1813 my $result = $tainted_true ? "True" : "False";
1814 is($result, "True");
1815 isnt_tainted( $result );
1817 $result = $tainted_false ? "True" : "False";
1818 is($result, "False");
1819 isnt_tainted( $result );
1821 my $untainted_whatever = "The Fabulous Johnny Cash";
1822 my $tainted_whatever = "Soft Cell" . $TAINT;
1824 $result = $tainted_true ? $tainted_whatever : $untainted_whatever;
1825 is($result, "Soft Cell");
1826 is_tainted( $result );
1828 $result = $tainted_false ? $tainted_whatever : $untainted_whatever;
1829 is($result, "The Fabulous Johnny Cash");
1830 isnt_tainted( $result );
1834 # rt.perl.org 5900 $1 remains tainted if...
1835 # 1) The regular expression contains a scalar variable AND
1836 # 2) The regular expression appears in an elsif clause
1838 my $foo = "abcdefghi" . $TAINT;
1840 my $valid_chars = 'a-z';
1843 elsif ( $foo =~ /([$valid_chars]+)/o ) {
1850 elsif ( my @bar = $foo =~ /([$valid_chars]+)/o ) {
1851 isnt_tainted($bar[0]);
1856 # at scope exit, a restored localised value should have its old
1857 # taint status, not the taint status of the current statement
1866 my $c = do { local $x99; $^X };
1873 my $c = do { local $x99; '' };
1877 # an mg_get of a tainted value during localization shouldn't taint the
1881 eval { local $0, eval '1' };
1885 # [perl #8262] //g loops infinitely on tainted data
1891 cmp_ok pos($a[0]), '>', 0, "infinite m//g on arrays (aelemfast)";
1896 cmp_ok pos($a[$i]), '>', 0, "infinite m//g on arrays (aelem)";
1901 cmp_ok pos($h{a}), '>', 0, "infinite m//g on hashes (helem)";
1907 eval 'use Scalar::Util "dualvar"; $got_dualvar++';
1908 skip "No Scalar::Util::dualvar" unless $got_dualvar;
1909 my $a = Scalar::Util::dualvar(3, $^X);
1911 is ($b, 8, "Arithmetic on tainted dualvars works");
1914 # opening '|-' should not trigger $ENV{PATH} check
1918 skip "fork() is not available", 3 unless $Config{'d_fork'};
1919 skip "opening |- is not stable on threaded Open/MirBSD with taint", 3
1920 if $Config{useithreads} and $Is_OpenBSD || $Is_MirBSD;
1922 $ENV{'PATH'} = $TAINT;
1923 local $SIG{'PIPE'} = 'IGNORE';
1925 my $pid = open my $pipe, '|-';
1926 if (!defined $pid) {
1927 die "open failed: $!";
1930 kill 'KILL', $$; # child suicide
1934 unlike($@, qr/Insecure \$ENV/, 'fork triggers %ENV check');
1935 is($@, '', 'pipe/fork/open/close failed');
1937 open my $pipe, "|$Invoke_Perl -e 1";
1940 like($@, qr/Insecure \$ENV/, 'popen neglects %ENV check');
1945 package AUTOLOAD_TAINT;
1948 return if $AUTOLOAD =~ /DESTROY/;
1949 if ($AUTOLOAD =~ /untainted/) {
1950 main::isnt_tainted($AUTOLOAD, '$AUTOLOAD can be untainted');
1951 my $copy = $AUTOLOAD;
1952 main::isnt_tainted($copy, '$AUTOLOAD can be untainted');
1954 main::is_tainted($AUTOLOAD, '$AUTOLOAD can be tainted');
1955 my $copy = $AUTOLOAD;
1956 main::is_tainted($copy, '$AUTOLOAD can be tainted');
1961 my $o = bless [], 'AUTOLOAD_TAINT';
1968 # tests for tainted format in s?printf
1969 my $fmt = $TAINT . "# %s\n";
1970 violates_taint(sub { printf($fmt, "foo") }, 'printf',
1971 q/printf doesn't like tainted formats/);
1972 violates_taint(sub { printf($TAINT . "# %s\n", "foo") }, 'printf',
1973 q/printf doesn't like tainted format expressions/);
1974 eval { printf("# %s\n", $TAINT . "foo") };
1975 is($@, '', q/printf accepts other tainted args/);
1976 violates_taint(sub { sprintf($fmt, "foo") }, 'sprintf',
1977 q/sprintf doesn't like tainted formats/);
1978 violates_taint(sub { sprintf($TAINT . "# %s\n", "foo") }, 'sprintf',
1979 q/sprintf doesn't like tainted format expressions/);
1980 eval { sprintf("# %s\n", $TAINT . "foo") };
1981 is($@, '', q/sprintf accepts other tainted args/);
1990 is ($val, '7000000000', 'Assignment to untainted variable');
1993 is ($val, '7000000000', 'Assignment to tainted variable');
1998 my $tainted = '1' . $TAINT;
1999 eval '$val = eval $tainted;';
2000 is ($val, 0, "eval doesn't like tainted strings");
2001 like ($@, qr/^Insecure dependency in eval/);
2003 # Rather nice code to get a tainted undef by from Rick Delaney
2004 open my $fh, "test.pl" or die $!;
2005 seek $fh, 0, 2 or die $!;
2008 eval 'eval $tainted';
2009 like ($@, qr/^Insecure dependency in eval/);
2012 foreach my $ord (78, 163, 256) {
2014 my $line = 'A1' . $TAINT . chr $ord;
2018 isnt_tainted($1, "\\S match with chr $ord");
2023 skip 'No crypt function, skipping crypt tests', 4 if(!$Config{d_crypt});
2025 sub cr { my $x = crypt($_[0], $_[1]); $x }
2026 sub co { my $x = ~$_[0]; $x }
2028 $a = cr('hello', 'foo' . $TAINT);
2029 $b = cr('hello', 'foo');
2030 is_tainted($a, "tainted crypt");
2031 isnt_tainted($b, "untainted crypt");
2032 $a = co('foo' . $TAINT);
2034 is_tainted($a, "tainted complement");
2035 isnt_tainted($b, "untainted complement");
2040 my @data = qw(bonk zam zlonk qunckkk);
2041 # Clearly some sort of usenet bang-path
2042 my $string = $TAINT . join "!", @data;
2044 is_tainted($string, "tainted data");
2046 my @got = split /!|,/, $string;
2048 # each @got would be useful here, but I want the test for earlier perls
2049 for my $i (0 .. $#data) {
2050 is_tainted($got[$i], "tainted result $i");
2051 is($got[$i], $data[$i], "correct content $i");
2054 is_tainted($string, "still tainted data");
2056 my @got = split /[!,]/, $string;
2058 # each @got would be useful here, but I want the test for earlier perls
2059 for my $i (0 .. $#data) {
2060 is_tainted($got[$i], "tainted result $i");
2061 is($got[$i], $data[$i], "correct content $i");
2064 is_tainted($string, "still tainted data");
2066 my @got = split /!/, $string;
2068 # each @got would be useful here, but I want the test for earlier perls
2069 for my $i (0 .. $#data) {
2070 is_tainted($got[$i], "tainted result $i");
2071 is($got[$i], $data[$i], "correct content $i");
2075 # Bug RT #52552 - broken by change at git commit id f337b08
2077 my $x = $TAINT. q{print "Hello world\n"};
2078 my $y = pack "a*", $x;
2079 is_tainted($y, "pack a* preserves tainting");
2081 my $z = pack "A*", q{print "Hello world\n"}.$TAINT;
2082 is_tainted($z, "pack A* preserves tainting");
2084 my $zz = pack "a*a*", q{print "Hello world\n"}, $TAINT;
2085 is_tainted($zz, "pack a*a* preserves tainting");
2088 # Bug RT #61976 tainted $! would show numeric rather than string value
2091 my $tainted_path = substr($^X,0,0) . "/no/such/file";
2093 # $! is used in a tainted expression, so gets tainted
2094 open my $fh, $tainted_path or $err= "$!";
2095 unlike($err, qr/^\d+$/, 'tainted $!');
2099 # #6758: tainted values become untainted in tied hashes
2100 # (also applies to other value magic such as pos)
2105 sub TIEHASH { bless {} }
2106 sub TIEARRAY { bless {} }
2111 main::is_tainted($_[1], "tied arg1 tainted");
2112 main::is_tainted($_[2], "tied arg2 tainted");
2118 my ($k,$v) = qw(1111 val);
2120 tie my @array, 'P6758';
2121 tie my %hash , 'P6758';
2124 ok $i == 2, "tied STORE called correct number of times";
2127 # Bug RT #45167 the return value of sprintf sometimes wasn't tainted
2128 # when the args were tainted. This only occured on the first use of
2129 # sprintf; after that, its TARG has taint magic attached, so setmagic
2130 # at the end works. That's why there are multiple sprintf's below, rather
2131 # than just one wrapped in an inner loop. Also, any plaintext between
2132 # fprmat entires would correctly cause tainting to get set. so test with
2133 # "%s%s" rather than eg "%s %s".
2136 for my $var1 ($TAINT, "123") {
2137 for my $var2 ($TAINT0, "456") {
2138 is( tainted(sprintf '%s', $var1, $var2), tainted($var1),
2139 "sprintf '%s', '$var1', '$var2'" );
2140 is( tainted(sprintf ' %s', $var1, $var2), tainted($var1),
2141 "sprintf ' %s', '$var1', '$var2'" );
2142 is( tainted(sprintf '%s%s', $var1, $var2),
2143 tainted($var1) || tainted($var2),
2144 "sprintf '%s%s', '$var1', '$var2'" );
2150 # Bug RT #67962: old tainted $1 gets treated as tainted
2151 # in next untainted # match
2155 "abc".$TAINT =~ /(.*)/; # make $1 tainted
2156 is_tainted($1, '$1 should be tainted');
2158 my $untainted = "abcdef";
2159 isnt_tainted($untainted, '$untainted should be untainted');
2160 $untainted =~ s/(abc)/$1/;
2161 isnt_tainted($untainted, '$untainted should still be untainted');
2162 $untainted =~ s/(abc)/x$1/;
2163 isnt_tainted($untainted, '$untainted should yet still be untainted');
2167 # On Windows we can't spawn a fresh Perl interpreter unless at
2168 # least the Windows system directory (usually C:\Windows\System32)
2169 # is still on the PATH. There is however no way to determine the
2170 # actual path on the current system without loading the Win32
2171 # module, so we just restore the original $ENV{PATH} here.
2172 local $ENV{PATH} = $ENV{PATH};
2173 $ENV{PATH} = $old_env_path if $Is_MSWin32;
2175 fresh_perl_is(<<'end', "ok", { switches => [ '-T' ] },
2176 $TAINT = substr($^X, 0, 0);
2177 formline('@'.('<'x("2000".$TAINT)).' | @*', 'hallo', 'welt');
2180 "formline survives a tainted dynamic picture");
2184 isnt_tainted($^A, "format accumulator not tainted yet");
2185 formline('@ | @*', 'hallo' . $TAINT, 'welt');
2186 is_tainted($^A, "tainted formline argument makes a tainted accumulator");
2188 isnt_tainted($^A, "accumulator can be explicitly untainted");
2189 formline('@' .('<'*5) . ' | @*', 'hallo', 'welt');
2190 isnt_tainted($^A, "accumulator still untainted");
2192 is_tainted($^A, "accumulator can be explicitly tainted");
2193 formline('@' .('<'*5) . ' | @*', 'hallo', 'welt');
2194 is_tainted($^A, "accumulator still tainted");
2196 isnt_tainted($^A, "accumulator untainted again");
2197 formline('@' .('<'*5) . ' | @*', 'hallo', 'welt');
2198 isnt_tainted($^A, "accumulator still untainted");
2199 formline('@' .('<'*(5+$TAINT0)) . ' | @*', 'hallo', 'welt');
2200 is_tainted($^A, "the accumulator should be tainted already");
2201 is_tainted($^A, "tainted formline picture makes a tainted accumulator");
2205 "Constant(1)" =~ / ^ ([a-z_]\w*) (?: [(] (.*) [)] )? $ /xi;
2208 isnt_tainted($a, "regex optimization of single char /[]/i doesn't taint");
2209 isnt_tainted($b, "regex optimization of single char /[]/i doesn't taint");
2213 # RT 81230: tainted value during FETCH created extra ref to tied obj
2221 my $x = $^X; # tainted
2224 sub FETCH { my $x = $_[0]; $$x . "" }
2229 local $SIG{__WARN__} = sub { $w .= "@_" };
2231 untie %h if $h{"k"};
2233 ::is($w, "", "RT 81230");
2237 # Compiling a subroutine inside a tainted expression does not make the
2238 # constant folded values tainted.
2239 my $x = sub { "x" . "y" };
2240 my $y = $ENV{PATH} . $x->(); # Compile $x inside a tainted expression
2242 isnt_tainted($z, "Constants folded value not tainted");
2246 # now that regexes are first class SVs, make sure that they themselves
2247 # as well as references to them are tainted
2249 my $rr = qr/(.)$TAINT/;
2250 my $r = $$rr; # bare REGEX
2252 ok($s =~ s/$r/x/, "match bare regex");
2253 is_tainted($s, "match bare regex taint");
2254 is($s, 'xbc', "match bare regex taint value");
2258 # [perl #82616] security Issues with user-defined \p{} properties
2259 # A using a tainted user-defined property should croak
2261 sub IsA { sprintf "%02x", ord("A") }
2264 ok("A" =~ /\p{$prop}/, "user-defined property: non-tainted case");
2265 $prop = "IsA$TAINT";
2266 eval { "A" =~ /\p{$prop}/};
2267 like($@, qr/Insecure user-defined property \\p\{main::IsA}/,
2268 "user-defined property: tainted case");
2272 # [perl #87336] lc/uc(first) failing to taint the returned string
2273 my $source = "foo$TAINT";
2274 my $dest = lc $source;
2275 is_tainted $dest, "lc(tainted) taints its return value";
2276 $dest = lcfirst $source;
2277 is_tainted $dest, "lcfirst(tainted) taints its return value";
2279 is_tainted $dest, "uc(tainted) taints its return value";
2280 $dest = ucfirst $source;
2281 is_tainted $dest, "ucfirst(tainted) taints its return value";
2285 # Taintedness of values returned from given()
2286 use feature 'switch';
2287 no warnings 'experimental::smartmatch';
2289 my @descriptions = ('when', 'given end', 'default');
2292 my $letter = "$_$TAINT";
2294 my $desc = "tainted value returned from " . shift(@descriptions);
2298 when ('x') { $letter }
2299 when ('y') { goto leavegiven }
2304 is $res, $letter, "$desc is correct";
2305 is_tainted $res, "$desc stays tainted";
2310 # tainted constants and index()
2311 # RT 64804; http://bugs.debian.org/291450
2313 ok(tainted $old_env_path, "initial taintedness");
2314 BEGIN { no strict 'refs'; my $v = $old_env_path; *{"::C"} = sub () { $v }; }
2315 ok(tainted C, "constant is tainted properly");
2316 ok(!tainted "", "tainting not broken yet");
2318 ok(!tainted "", "tainting still works after index() of the constant");
2321 # Tainted values with smartmatch
2322 # [perl #93590] S_do_smartmatch stealing its own string buffers
2324 no warnings 'experimental::smartmatch';
2325 ok "M$TAINT" ~~ ['m', 'M'], '$tainted ~~ ["whatever", "match"]';
2326 ok !("M$TAINT" ~~ ['m', undef]), '$tainted ~~ ["whatever", undef]';
2329 # Tainted values and ref()
2331 my $x = bless \"M$TAINT", ref(bless[], "main");
2333 pass("no death when TARG of ref is tainted");
2335 # $$ should not be tainted by being read in a tainted expression.
2337 isnt_tainted $$, "PID not tainted initially";
2338 my $x = $ENV{PATH}.$$;
2339 isnt_tainted $$, "PID not tainted when read in tainted expression";
2343 skip 'No locale testing without d_setlocale', 4 if(!$Config{d_setlocale});
2347 if($Config{d_setlocale}) {
2348 require locale; import locale;
2351 my ($latin1, $utf8) = ("\xDF") x 2;
2352 utf8::downgrade($latin1);
2353 utf8::upgrade($utf8);
2355 is_tainted fc($latin1), "under locale, lc(latin1) taints the result";
2356 is_tainted fc($utf8), "under locale, lc(utf8) taints the result";
2358 is_tainted "\F$latin1", "under locale, \\Flatin1 taints the result";
2359 is_tainted "\F$utf8", "under locale, \\Futf8 taints the result";
2364 eval { die "Test\n".substr($ENV{PATH}, 0, 0); };
2367 like($@, qr/^Test\n\t\.\.\.propagated at /, "error should be propagated");
2370 # tainted run-time (?{}) should die
2373 my $code = '(?{})' . $TAINT;
2375 eval { "a" =~ /$code/ };
2376 like($@, qr/Eval-group in insecure regular expression/, "tainted (?{})");
2379 # reset() and tainted undef (?!)
2381 $_ = "$TAINT".reset "x";
2382 is eval { eval $::x.1 }, 1, 'reset does not taint undef';
2384 # This may bomb out with the alarm signal so keep it last
2386 skip "No alarm()" unless $Config{d_alarm};
2387 # Test from RT #41831]
2388 # [PATCH] Bug & fix: hang when using study + taint mode (perl 5.6.1, 5.8.x)
2390 my $DATA = <<'END' . $TAINT;
2400 ## don't set $SIG{ALRM}, since we'd never get to a user-level handler as
2401 ## perl is stuck in a regexp infinite loop!
2405 if ($DATA =~ /^line2.*line4/m) {
2406 fail("Should not be a match")
2408 pass("Match on tainted multiline data should fail promptly");
2414 # Keep the previous test last
https://perl5.git.perl.org / perl5.git / blob