diff options
author | Tony Cook <tony@develop-help.com> | 2015-12-15 10:56:54 +1100 |
---|---|---|
committer | Ricardo Signes <rjbs@cpan.org> | 2016-01-11 08:23:46 -0500 |
commit | 95b0d348019c20bd1197f702907c849c64a86cb7 (patch) | |
tree | c6f07ac30ed16aa670557ffa4b3ec78748c86718 | |
parent | 51d2955976e83fc2a9befaf685f4553a0a1c82b2 (diff) | |
download | perl-95b0d348019c20bd1197f702907c849c64a86cb7.tar.gz |
ensure File::Spec::canonpath() preserves taint
Previously the unix specific XS implementation of canonpath() would
return an untainted path when supplied a tainted path.
For the empty string case, newSVpvs() already sets taint as needed on
its result.
This issue was assigned CVE-2015-8607. [perl #126862]
-rw-r--r-- | dist/PathTools/Cwd.xs | 1 | ||||
-rw-r--r-- | dist/PathTools/t/taint.t | 19 |
2 files changed, 19 insertions, 1 deletions
diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs index 1f174bf451..22e90c5114 100644 --- a/dist/PathTools/Cwd.xs +++ b/dist/PathTools/Cwd.xs @@ -512,6 +512,7 @@ THX_unix_canonpath(pTHX_ SV *path) *o = 0; SvPOK_on(retval); SvCUR_set(retval, o - SvPVX(retval)); + SvTAINT(retval); return retval; } diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t index 309b3e5dfc..48f8c5bc8f 100644 --- a/dist/PathTools/t/taint.t +++ b/dist/PathTools/t/taint.t @@ -12,7 +12,7 @@ use Test::More; BEGIN { plan( ${^TAINT} - ? (tests => 17) + ? (tests => 21) : (skip_all => "A perl without taint support") ); } @@ -34,3 +34,20 @@ foreach my $func (@Functions) { # Previous versions of Cwd tainted $^O is !tainted($^O), 1, "\$^O should not be tainted"; + +{ + # [perl #126862] canonpath() loses taint + my $tainted = substr($ENV{PATH}, 0, 0); + # yes, getcwd()'s result should be tainted, and is tested above + # but be sure + ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)), + "canonpath() keeps taint on non-empty string"; + ok tainted(File::Spec->canonpath($tainted)), + "canonpath() keeps taint on empty string"; + + (Cwd::getcwd() =~ /^(.*)/); + my $untainted = $1; + ok !tainted($untainted), "make sure our untainted value is untainted"; + ok !tainted(File::Spec->canonpath($untainted)), + "canonpath() doesn't add taint to untainted string"; +} |