From 64ff300be0f7714585466af5bb87b2e37db5082a Mon Sep 17 00:00:00 2001 From: Father Chrysostomos Date: Sun, 31 Aug 2014 14:10:45 -0700 Subject: [PATCH] =?utf8?q?[perl=20#122669]=20Don=E2=80=99t=20taint=20at=20?= =?utf8?q?compile=20time?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit #!perl -T # tainted constant use constant K=>$^X; # Just reading the constant for the sake of folding can enabled # taintedness at compile time. 0 if K; # Taintedness is still on when the ‘strict.pm’ SV is created, so # require croaks on it (‘Insecure dependency’). use strict; The fix is simply not to propagate taintedness at compile time. Hence, the value of K will still be tainted at run time (require(K) croaks), but just reading the value of K at compile time won’t taint subsequent string literals (or barewords treated as strings). ‘Compile time’ here is relative: Taintedness still wafts about as usual when BEGIN blocks are executed, because code is actually run- ning. It’s when code is being parsed that propagation is disabled. The reason taint propagation could span across statements at compile time was that *execution* of a new statement resets taintedness, whereas parsing is oblivious to it. --- mg.c | 2 +- t/op/taint.t | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/mg.c b/mg.c index e1fc578..9dc0679 100644 --- a/mg.c +++ b/mg.c @@ -2237,7 +2237,7 @@ Perl_magic_gettaint(pTHX_ SV *sv, MAGIC *mg) PERL_UNUSED_ARG(mg); #endif - TAINT_IF((PL_localizing != 1) && (mg->mg_len & 1)); + TAINT_IF((PL_localizing != 1) && (mg->mg_len & 1) && IN_PERL_RUNTIME); return 0; } diff --git a/t/op/taint.t b/t/op/taint.t index 20449de..6ec66ce 100644 --- a/t/op/taint.t +++ b/t/op/taint.t @@ -16,7 +16,7 @@ BEGIN { use strict; use Config; -plan tests => 800; +plan tests => 801; $| = 1; @@ -2322,6 +2322,14 @@ $::x = "foo"; $_ = "$TAINT".reset "x"; is eval { eval $::x.1 }, 1, 'reset does not taint undef'; +# [perl #122669] +is runperl( + switches => [ '-T' ], + prog => 'use constant K=>$^X; 0 if K; BEGIN{} use strict; print 122669, qq-\n-', + stderr => 1, + ), "122669\n", + 'tainted constant as logop condition should not prevent "use"'; + # This may bomb out with the alarm signal so keep it last SKIP: { skip "No alarm()" unless $Config{d_alarm}; -- 1.8.3.1