eval: handle taint of overloaded/tied arg

string eval would check its arg for taint before processing magic, overload
etc. If the magic or overload returned a tainted value, it wouldn't
be detected. Fixes part of #75716.

2 files changed, 15 insertions, 2 deletions

diff --git a/lib/overload.t b/lib/overload.t
index 8a632a5c8a..c1d4eaf0c3 100644
--- a/lib/overload.t
+++ b/lib/overload.t
@@ -47,7 +47,7 @@ sub numify { 0 + "${$_[0]}" }	# Not needed, additional overhead
 package main;
 
 $| = 1;
-use Test::More tests => 4826;
+use Test::More tests => 4880;
 
 use Scalar::Util qw(tainted);
 
@@ -1867,6 +1867,11 @@ foreach my $op (qw(<=> == != < <= > >=)) {
 
 	# XXX TODO: '<>'
 
+	# eval should do tie, overload on its arg before checking taint */
+	push @tests, [ '1;', 'eval q(eval %s); $@ =~ /Insecure/',
+		'("")', '("")', [ 1, 2, 0 ], 0 ];
+
+
 	for my $sub (keys %subs) {
 	    my $term = $subs{$sub};
 	    my $t = sprintf $term, '$_[0][0]';
@@ -1990,7 +1995,6 @@ foreach my $op (qw(<=> == != < <= > >=)) {
 		    $res = "$res" if $res_term =~ /\+\+|--/;
 		    is(tainted($res), $exp_taint,
 			    "$desc taint of result return");
-		    #XXX$res = "$res";
 		    is($res, $exp, "$desc return value");
 		    my $fns =($ov_pkg eq 'RT57012_OV_FB')
 				? $exp_fb_funcs : $exp_funcs;
diff --git a/pp_ctl.c b/pp_ctl.c
index 7d041bdfe9..527cad9b8b 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -3763,6 +3763,15 @@ PP(pp_entereval)
 	saved_hh = MUTABLE_HV(SvREFCNT_inc(POPs));
     }
     sv = POPs;
+    if (!SvPOK(sv)) {
+	/* make sure we've got a plain PV (no overload etc) before testing
+	 * for taint. Making a copy here is probably overkill, but better
+	 * safe than sorry */
+	SV* tmpsv = newSV_type(SVt_PV);
+	sv_copypv(tmpsv, sv);
+	sv_2mortal(tmpsv);
+	sv = tmpsv;
+    }
 
     TAINT_IF(SvTAINTED(sv));
     TAINT_PROPER("eval");