diff options
author | Jarkko Hietaniemi <jhi@iki.fi> | 2000-03-19 01:48:47 +0000 |
---|---|---|
committer | Jarkko Hietaniemi <jhi@iki.fi> | 2000-03-19 01:48:47 +0000 |
commit | d929ce6fe8f415355968ae904607a49f36ad5c70 (patch) | |
tree | 55c5af0a110b532106f3395cc36541ef70d8358f | |
parent | 2959b6e3384ea619841b1f9556846dd2755caf04 (diff) | |
download | perl-d929ce6fe8f415355968ae904607a49f36ad5c70.tar.gz |
Taint shmread().
p4raw-id: //depot/cfgperl@5811
-rw-r--r-- | doio.c | 4 | ||||
-rw-r--r-- | pod/perldelta.pod | 6 | ||||
-rw-r--r-- | pod/perlfunc.pod | 4 | ||||
-rw-r--r-- | pod/perlsec.pod | 24 | ||||
-rwxr-xr-x | t/op/taint.t | 35 |
5 files changed, 58 insertions, 15 deletions
@@ -1994,6 +1994,10 @@ Perl_do_shmio(pTHX_ I32 optype, SV **mark, SV **sp) SvCUR_set(mstr, msize); *SvEND(mstr) = '\0'; SvSETMAGIC(mstr); +#ifndef INCOMPLETE_TAINTS + /* who knows who has been playing with this shared memory? */ + SvTAINTED_on(mstr); +#endif } else { I32 n; diff --git a/pod/perldelta.pod b/pod/perldelta.pod index 88655bed8f..52a6fba599 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -212,6 +212,12 @@ Because the user can affect her own encrypted password and login shell the password and shell returned by the getpwent(), getpwnam(), and getpwuid() functions are tainted. +=head2 The shmread() now taints its variable + +Because other (untrusted) processes can modify shared memory segments +for their own nefarious purposes, the variable modified by shmread() +becomes tainted. + =back =head2 C Source Incompatibilities diff --git a/pod/perlfunc.pod b/pod/perlfunc.pod index c4c7e3f554..cc84d737ce 100644 --- a/pod/perlfunc.pod +++ b/pod/perlfunc.pod @@ -4022,8 +4022,8 @@ detaching from it. When reading, VAR must be a variable that will hold the data read. When writing, if STRING is too long, only SIZE bytes are used; if STRING is too short, nulls are written to fill out SIZE bytes. Return true if successful, or false if there is an error. -See also C<IPC::SysV> documentation and the C<IPC::Shareable> module -from CPAN. +shmread() taints the variable. See also C<IPC::SysV> documentation and +the C<IPC::Shareable> module from CPAN. =item shutdown SOCKET,HOW diff --git a/pod/perlsec.pod b/pod/perlsec.pod index 713a89c02c..b271f7016c 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -32,18 +32,18 @@ program more secure than the corresponding C program. You may not use data derived from outside your program to affect something else outside your program--at least, not by accident. All command line arguments, environment variables, locale information (see -L<perllocale>), results of certain system calls (readdir, readlink, -the password, gcos and shell fields of the getpw* calls), and all file -input are marked as "tainted". Tainted data may not be used directly -or indirectly in any command that invokes a sub-shell, nor in any -command that modifies files, directories, or processes. (B<Important -exception>: If you pass a list of arguments to either C<system> or -C<exec>, the elements of that list are B<NOT> checked for -taintedness.) Any variable set to a value derived from tainted data -will itself be tainted, even if it is logically impossible for the -tainted data to alter the variable. Because taintedness is associated -with each scalar value, some elements of an array can be tainted and -others not. +L<perllocale>), results of certain system calls (readdir(), +readlink(), the variable of() shmread, the password, gcos and shell +fields of the getpwxxx() calls), and all file input are marked as +"tainted". Tainted data may not be used directly or indirectly in any +command that invokes a sub-shell, nor in any command that modifies +files, directories, or processes. (B<Important exception>: If you pass +a list of arguments to either C<system> or C<exec>, the elements of +that list are B<NOT> checked for taintedness.) Any variable set to a +value derived from tainted data will itself be tainted, even if it is +logically impossible for the tainted data to alter the variable. +Because taintedness is associated with each scalar value, some +elements of an array can be tainted and others not. For example: diff --git a/t/op/taint.t b/t/op/taint.t index 883f069dbd..51dcbd8e5b 100755 --- a/t/op/taint.t +++ b/t/op/taint.t @@ -94,7 +94,7 @@ print PROG 'print "@ARGV\n"', "\n"; close PROG; my $echo = "$Invoke_Perl $ECHO"; -print "1..149\n"; +print "1..150\n"; # First, let's make sure that Perl is checking the dangerous # environment variables. Maybe they aren't set yet, so we'll @@ -605,3 +605,36 @@ else { $why =~ s/e/'-'.$$/ge; test 149, tainted $why; } + +# test shmread +{ + if ($Config{d_shm}) { + use IPC::SysV qw(IPC_PRIVATE IPC_RMID S_IRWXU S_IRWXG S_IRWXO); + + my $sent = "foobar"; + my $rcvd; + my $size = 2000; + my $key = shmget(IPC_PRIVATE, $size, S_IRWXU|S_IRWXG|S_IRWXO) || + warn "# shmget failed: $!\n"; + if ($key >= 0) { + if (shmwrite($key, $sent, 0, 60)) { + if (shmread($key, $rcvd, 0, 60)) { + substr($rcvd, index($rcvd, "\0")) = ''; + } else { + warn "# shmread failed: $!\n"; + } + } else { + warn "# shmwrite failed: $!\n"; + } + shmctl($key, IPC_RMID, 0) || warn "# shmctl failed: $!\n"; + } + + if ($rcvd eq $sent) { + test 150, tainted $rcvd; + } else { + print "ok 150 # Skipped: SysV shared memory operation failed\n"; + } + } else { + for (150) { print "ok $_ # Skipped: SysV shared memory is not available\n"; } + } +} |