You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2020/04/08 14:38:47 UTC
[Bug 7806] New: Tainting through concatenation with $^X does not
taint
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7806
Bug ID: 7806
Summary: Tainting through concatenation with $^X does not taint
Product: Spamassassin
Version: 3.4.4
Hardware: PC
OS: Linux
Status: NEW
Severity: blocker
Priority: P2
Component: spamassassin
Assignee: dev@spamassassin.apache.org
Reporter: rodolfo@saccani.net
Target Milestone: Undefined
Env: CentOS Linux, perl5.10.1, spamassassin invoked by MailScanner
Util.pm, sub taint_var is supposed to taint a variable by concatenating it with
$^X:
###########################################################################
sub taint_var {
my ($v) = @_;
return $v unless defined $v; # can't taint "undef"
# $^X is apparently "always tainted".
# Concatenating an empty tainted string taints the result.
return $v . substr($^X, 0, 0);
}
But it doesn't. Variables are not tainted by concatenation with $^X
The following implementation does indeed taint:
###########################################################################
my $tainted = undef;
sub taint_var {
my ($v) = @_;
return $v unless defined $v; # can't taint "undef"
# Create a handy tainted empty string
unless (defined $tainted) {
open my $fh, '<', \"" or die "Can't open: $!";
local $/;
$tainted= <$fh>;
}
# Concatenating an empty tainted string taints the result.
return $v . substr($tainted, 0, 0);
}
Rather than using $^X this approach creates a certainly tainted variable
$tainted only once and re-uses it whenever needed.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7806] Tainting through concatenation with $^X does not taint
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7806
--- Comment #3 from Henrik Krohns <ap...@hege.li> ---
(In reply to Rodolfo Saccani from comment #2)
> MailScanner --lint
> this is all is needed to reproduce the issue on CentOS with perl 5.10.1
Sorry but this is not helpful. I do not have MailScanner and I don't know what
is supposed to happen.
What is the actual _error output_?
Fact is that CentOS6 box stock perl 5.10.1 works just fine with $^X. Your
problems is likely something other MailScanner related.
$ perl -T -e '$ENV{PATH} = "/usr/bin"; $foo = "uptime"; system($foo);'
22:53:52 up 22 days, 10:59, 1 user, load average: 0.02, 0.01, 0.00
$ perl -T -e '$ENV{PATH} = "/usr/bin"; $foo = "uptime".substr($^X, 0, 0);
system($foo);'
Insecure dependency in system while running with -T switch at -e line 1.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7806] Tainting through concatenation with $^X does not taint
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7806
Henrik Krohns <ap...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |apache@hege.li
--- Comment #1 from Henrik Krohns <ap...@hege.li> ---
(In reply to Rodolfo Saccani from comment #0)
>
> But it doesn't. Variables are not tainted by concatenation with $^X
And where is your proof please?
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7806] Tainting through concatenation with $^X does not taint
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7806
--- Comment #2 from Rodolfo Saccani <ro...@saccani.net> ---
MailScanner --lint
this is all is needed to reproduce the issue on CentOS with perl 5.10.1
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7806] Tainting through concatenation with $^X does not taint
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7806
Henrik Krohns <ap...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #5 from Henrik Krohns <ap...@hege.li> ---
Doesn't seem to be a problem with newer perls..
Oh well, I rather use both methods then, never know what Perl might change:
Sending spamassassin-3.4/lib/Mail/SpamAssassin/Util.pm
Sending trunk/lib/Mail/SpamAssassin/Util.pm
Transmitting file data ..done
Committing transaction...
Committed revision 1876320.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7806] Tainting through concatenation with $^X does not taint
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7806
Rodolfo Saccani <ro...@saccani.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rodolfo@saccani.net
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7806] Tainting through concatenation with $^X does not taint
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7806
--- Comment #4 from Rodolfo Saccani <ro...@saccani.net> ---
Created attachment 5696
--> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5696&action=edit
sample code to reproduce the issue
This attachment reproduces the issue.
Launch it as root.
# perl taint.pl
Setting UID to 89
Use taint?.............1
Is $^X tainted?........0
Is $tainted tainted?...1
Why?
When dropping root privileges the taint checks are enabled but $^X is not
tainted because it had been executed previously.
This is expected, read below.
https://perldoc.perl.org/perlsec.html#Taint-mode) says:
Perl automatically enables a set of special security checks, called taint mode,
when it detects its program running with differing real and effective user or
group IDs.
This leads to $^X not being reliable when taint is enabled at runtime.
Enabling taint checking at runtime is not unusual.
I suggest to replace use of $^X with the code provided, which taints reliably.
--
You are receiving this mail because:
You are the assignee for the bug.