Taint also the passwd field of the getpw*().

p4raw-id: //depot/cfgperl@5810

5 files changed, 16 insertions, 10 deletions

diff --git a/pod/perldelta.pod b/pod/perldelta.pod
index 8904889c77..88655bed8f 100644
--- a/pod/perldelta.pod
+++ b/pod/perldelta.pod
@@ -206,10 +206,11 @@ will produce different results on platforms that have different
 $Config{ivsize}.  For portability, be sure to mask off the excess bits
 in the result of unary C<~>, e.g., C<~$x & 0xffffffff>.
 
-=head2 The shell returned by the getpwxxx() is now tainted
+=head2 The passwd and shell returned by the getpwxxx() are now tainted
 
-Because the user can affect her own login shell the shell returned
-by the getpwent(), getpwnam(), and getpwuid() functions is tainted.
+Because the user can affect her own encrypted password and login shell
+the password and shell returned by the getpwent(), getpwnam(), and
+getpwuid() functions are tainted.
 
 =back
 
diff --git a/pod/perlfunc.pod b/pod/perlfunc.pod
index 2c55a95aa0..c4c7e3f554 100644
--- a/pod/perlfunc.pod
+++ b/pod/perlfunc.pod
@@ -1863,8 +1863,9 @@ The exact meaning of the $gcos field varies but it usually contains
 the real name of the user (as opposed to the login name) and other
 information pertaining to the user.  Beware, however, that in many
 system users are able to change this information and therefore it
-cannot be trusted and therefore the $gcos is is tainted (see L<perlsec>). 
-The $shell, user's login shell, is also tainted, because of the same reason.
+cannot be trusted and therefore the $gcos is is tainted (see
+L<perlsec>).  The $passwd and $shell, user's encrypted password and
+login shell, are also tainted, because of the same reason.
 
 In scalar context, you get the name, unless the function was a
 lookup by name, in which case you get the other thing, whatever it is.
diff --git a/pod/perlsec.pod b/pod/perlsec.pod
index e61316511c..713a89c02c 100644
--- a/pod/perlsec.pod
+++ b/pod/perlsec.pod
@@ -33,10 +33,10 @@ You may not use data derived from outside your program to affect
 something else outside your program--at least, not by accident.  All
 command line arguments, environment variables, locale information (see
 L<perllocale>), results of certain system calls (readdir, readlink,
-the gecos and shell fields of getpw* calls), and all file input are
-marked as "tainted".  Tainted data may not be used directly or
-indirectly in any command that invokes a sub-shell, nor in any command
-that modifies files, directories, or processes. (B<Important
+the password, gcos and shell fields of the getpw* calls), and all file
+input are marked as "tainted".  Tainted data may not be used directly
+or indirectly in any command that invokes a sub-shell, nor in any
+command that modifies files, directories, or processes. (B<Important
 exception>: If you pass a list of arguments to either C<system> or
 C<exec>, the elements of that list are B<NOT> checked for
 taintedness.) Any variable set to a value derived from tainted data
diff --git a/pp_sys.c b/pp_sys.c
index 5bbe2506fd..0ec539d51f 100644
--- a/pp_sys.c
+++ b/pp_sys.c
@@ -4835,6 +4835,10 @@ PP(pp_gpwent)
 	sv_setpv(sv, pwent->pw_passwd);
 #   endif
 #endif
+#ifndef INCOMPLETE_TAINTS
+	/* passwd is tainted because user himself can diddle with it. */
+	SvTAINTED_on(sv);
+#endif
 
 	PUSHs(sv = sv_mortalcopy(&PL_sv_no));
 #if Uid_t_sign <= 0
diff --git a/t/op/taint.t b/t/op/taint.t
index 6a5d6b7e99..883f069dbd 100755
--- a/t/op/taint.t
+++ b/t/op/taint.t
@@ -547,7 +547,7 @@ else {
 	my @getpwent = getpwent();
 	die "getpwent: $!\n" unless (@getpwent);
 	test 142,(    not tainted $getpwent[0]
-	          and not tainted $getpwent[1]
+	          and     tainted $getpwent[1]
 	          and not tainted $getpwent[2]
 	          and not tainted $getpwent[3]
 	          and not tainted $getpwent[4]