diff options
| author | Zefram <zefram@fysh.org> | 2017-11-19 09:15:53 +0000 |
|---|---|---|
| committer | Zefram <zefram@fysh.org> | 2017-11-19 09:22:17 +0000 |
| commit | c4f4b223e71713a6e8ae2141274c91f4ce821405 (patch) | |
| tree | 677bb0f923e789615d262d63fbb59d3c4a5d46d4 /pp_ctl.c | |
| parent | 2a62c8c9d9eee8648a81ba731c18be302e19dc4b (diff) | |
| download | perl-c4f4b223e71713a6e8ae2141274c91f4ce821405.tar.gz | |
fix tainting of s/// with overloaded replacement
The substitution code was trying to track the taintedness of the
replacement string itself, but it didn't account for the replacement
being an untainted object with overloading that returns a tainted
stringification. It looked at the taintedness of the object value, not
realising that taint could arise during the string concatenation per se.
Change the taint checks to look at the actual TAINT_get flag after string
concatenation. This may falsely ascribe to the replacement taint that
actually came from somewhere else, but the end result is the same anyway:
there's no visible behaviour that distinguishes taint specifically from
the replacement. Also remove a related taint check that seems to be
not needed at all. Fixes [perl #115266].
Diffstat (limited to 'pp_ctl.c')
| -rw-r--r-- | pp_ctl.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -213,9 +213,9 @@ PP(pp_substcont) SvGETMAGIC(TOPs); /* possibly clear taint on $1 etc: #67962 */ /* See "how taint works" above pp_subst() */ - if (SvTAINTED(TOPs)) - cx->sb_rxtainted |= SUBST_TAINT_REPL; sv_catsv_nomg(dstr, POPs); + if (UNLIKELY(TAINT_get)) + cx->sb_rxtainted |= SUBST_TAINT_REPL; if (CxONCE(cx) || s < orig || !CALLREGEXEC(rx, s, cx->sb_strend, orig, (s == m), cx->sb_targ, NULL, |