summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJarkko Hietaniemi <jhi@iki.fi>2000-03-18 19:56:12 +0000
committerJarkko Hietaniemi <jhi@iki.fi>2000-03-18 19:56:12 +0000
commit4602f195a9a943db1cd284ff4af1bcdb58f98ead (patch)
tree318b2ecd0c5ff35fe7c75032292774679bcd1f36
parentb448e4fea9d52c651a1814ffb2d1d8745f1f0de9 (diff)
downloadperl-4602f195a9a943db1cd284ff4af1bcdb58f98ead.tar.gz
Taint the shell from the getpw*.
p4raw-id: //depot/cfgperl@5805
-rw-r--r--pod/perldelta.pod5
-rw-r--r--pod/perlfunc.pod46
-rw-r--r--pod/perlsec.pod21
-rw-r--r--pp_sys.c4
4 files changed, 46 insertions, 30 deletions
diff --git a/pod/perldelta.pod b/pod/perldelta.pod
index 39bb0330ee..8904889c77 100644
--- a/pod/perldelta.pod
+++ b/pod/perldelta.pod
@@ -206,6 +206,11 @@ will produce different results on platforms that have different
$Config{ivsize}. For portability, be sure to mask off the excess bits
in the result of unary C<~>, e.g., C<~$x & 0xffffffff>.
+=head2 The shell returned by the getpwxxx() is now tainted
+
+Because the user can affect her own login shell the shell returned
+by the getpwent(), getpwnam(), and getpwuid() functions is tainted.
+
=back
=head2 C Source Incompatibilities
diff --git a/pod/perlfunc.pod b/pod/perlfunc.pod
index f14b8bb04b..2c55a95aa0 100644
--- a/pod/perlfunc.pod
+++ b/pod/perlfunc.pod
@@ -1859,6 +1859,13 @@ various get routines are as follows:
(If the entry doesn't exist you get a null list.)
+The exact meaning of the $gcos field varies but it usually contains
+the real name of the user (as opposed to the login name) and other
+information pertaining to the user. Beware, however, that in many
+system users are able to change this information and therefore it
+cannot be trusted and therefore the $gcos is is tainted (see L<perlsec>).
+The $shell, user's login shell, is also tainted, because of the same reason.
+
In scalar context, you get the name, unless the function was a
lookup by name, in which case you get the other thing, whatever it is.
(If the entry doesn't exist you get the undefined value.) For example:
@@ -1871,26 +1878,25 @@ lookup by name, in which case you get the other thing, whatever it is.
$name = getgrent();
#etc.
-In I<getpw*()> the fields $quota, $comment, and $expire are
-special cases in the sense that in many systems they are unsupported.
-If the $quota is unsupported, it is an empty scalar. If it is
-supported, it usually encodes the disk quota. If the $comment
-field is unsupported, it is an empty scalar. If it is supported it
-usually encodes some administrative comment about the user. In some
-systems the $quota field may be $change or $age, fields that have
-to do with password aging. In some systems the $comment field may
-be $class. The $expire field, if present, encodes the expiration
-period of the account or the password. For the availability and the
-exact meaning of these fields in your system, please consult your
-getpwnam(3) documentation and your F<pwd.h> file. You can also find
-out from within Perl what your $quota and $comment fields mean
-and whether you have the $expire field by using the C<Config> module
-and the values C<d_pwquota>, C<d_pwage>, C<d_pwchange>, C<d_pwcomment>,
-and C<d_pwexpire>. Shadow password files are only supported if your
-vendor has implemented them in the intuitive fashion that calling the
-regular C library routines gets the shadow versions if you're running
-under privilege. Those that incorrectly implement a separate library
-call are not supported.
+In I<getpw*()> the fields $quota, $comment, and $expire are special
+cases in the sense that in many systems they are unsupported. If the
+$quota is unsupported, it is an empty scalar. If it is supported, it
+usually encodes the disk quota. If the $comment field is unsupported,
+it is an empty scalar. If it is supported it usually encodes some
+administrative comment about the user. In some systems the $quota
+field may be $change or $age, fields that have to do with password
+aging. In some systems the $comment field may be $class. The $expire
+field, if present, encodes the expiration period of the account or the
+password. For the availability and the exact meaning of these fields
+in your system, please consult your getpwnam(3) documentation and your
+F<pwd.h> file. You can also find out from within Perl what your
+$quota and $comment fields mean and whether you have the $expire field
+by using the C<Config> module and the values C<d_pwquota>, C<d_pwage>,
+C<d_pwchange>, C<d_pwcomment>, and C<d_pwexpire>. Shadow password
+files are only supported if your vendor has implemented them in the
+intuitive fashion that calling the regular C library routines gets the
+shadow versions if you're running under privilege. Those that
+incorrectly implement a separate library call are not supported.
The $members value returned by I<getgr*()> is a space separated list of
the login names of the members of the group.
diff --git a/pod/perlsec.pod b/pod/perlsec.pod
index 40374870a1..e61316511c 100644
--- a/pod/perlsec.pod
+++ b/pod/perlsec.pod
@@ -33,16 +33,17 @@ You may not use data derived from outside your program to affect
something else outside your program--at least, not by accident. All
command line arguments, environment variables, locale information (see
L<perllocale>), results of certain system calls (readdir, readlink,
-the gecos field of getpw* calls), and all file input are marked as
-"tainted". Tainted data may not be used directly or indirectly in any
-command that invokes a sub-shell, nor in any command that modifies
-files, directories, or processes. (B<Important exception>: If you pass
-a list of arguments to either C<system> or C<exec>, the elements of
-that list are B<NOT> checked for taintedness.) Any variable set
-to a value derived from tainted data will itself be tainted,
-even if it is logically impossible for the tainted data
-to alter the variable. Because taintedness is associated with each
-scalar value, some elements of an array can be tainted and others not.
+the gecos and shell fields of getpw* calls), and all file input are
+marked as "tainted". Tainted data may not be used directly or
+indirectly in any command that invokes a sub-shell, nor in any command
+that modifies files, directories, or processes. (B<Important
+exception>: If you pass a list of arguments to either C<system> or
+C<exec>, the elements of that list are B<NOT> checked for
+taintedness.) Any variable set to a value derived from tainted data
+will itself be tainted, even if it is logically impossible for the
+tainted data to alter the variable. Because taintedness is associated
+with each scalar value, some elements of an array can be tainted and
+others not.
For example:
diff --git a/pp_sys.c b/pp_sys.c
index e1d74aee3a..517a9552b9 100644
--- a/pp_sys.c
+++ b/pp_sys.c
@@ -4868,6 +4868,10 @@ PP(pp_gpwent)
PUSHs(sv = sv_mortalcopy(&PL_sv_no));
sv_setpv(sv, pwent->pw_shell);
+#ifndef INCOMPLETE_TAINTS
+ /* pw_shell is tainted because user himself can diddle with it. */
+ SvTAINTED_on(sv);
+#endif
#ifdef PWEXPIRE
PUSHs(sv = sv_mortalcopy(&PL_sv_no));