diff options
| author | David Mitchell <davem@iabyn.com> | 2010-03-21 00:01:09 +0000 |
|---|---|---|
| committer | David Mitchell <davem@iabyn.com> | 2010-03-21 00:10:11 +0000 |
| commit | 3e6bd4bfcd175c613d32ccb2eb2fde8ff580206a (patch) | |
| tree | d201dbf1dcf2006795c2d1a70019879e157cd1e6 /pp.c | |
| parent | b112cff9879ef9e20ee30b1a9ec813b1336a3093 (diff) | |
| download | perl-3e6bd4bfcd175c613d32ccb2eb2fde8ff580206a.tar.gz | |
[perl #45167] Taint removal by sprintf
Under some circumstances the value returned by sprintf wasn't tainted,
even though its args were. While trying to fix this, I also came across
a second bug (which made fixing the first bug very confusing!) where
the TARG of the sprintf op, after getting tainted once, permanently
retained taint magic, which depending on circumstances, wasn't always set
to untainted (mg_len =0)
The original bug basically boiled down to parts of Perl_sv_vcatpvfn()
directly manipulating the target with SvGROW() / Copy(), which failed
to taint the target. Other parts used sv_catsv(), which did. So for
example:
"%s%s" failed, (only SvGROW)
"%s %s" worked (the space char was appended using sv_catsv).
Diffstat (limited to 'pp.c')
| -rw-r--r-- | pp.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -3439,6 +3439,7 @@ PP(pp_sprintf) dVAR; dSP; dMARK; dORIGMARK; dTARGET; if (SvTAINTED(MARK[1])) TAINT_PROPER("sprintf"); + SvTAINTED_off(TARG); do_sprintf(TARG, SP-MARK, MARK+1); TAINT_IF(SvTAINTED(TARG)); SP = ORIGMARK; |