[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]
[perl #59998] crypt() returns tainted data even when input strings are detainted
# New Ticket Created by Frédéric Buclin
# Please include the string: [perl #59998]
# in the subject line of all future correspondence about this issue.
# <URL: http://rt.perl.org/rt3/Ticket/Display.html?id=59998 >
This is a bug report for perl from LpSolit@gmail.com,
generated with the help of perlbug 1.36 running under perl 5.10.0.
Run the following script as: perl -wT test.pl foo bar
$crypted3 is tainted despite the input string is detainted. Note that
$crypted2 is not tainted despite the code in bz_crypt() is very similar
to the one in bz_crypt2(). IMO, that's not the expected behavior.
#!/usr/bin/perl -wT
use strict;
sub is_tainted {
return not eval { my $foo = join('',@_), kill 0; 1; };
}
sub bz_crypt {
my ($password) = @_;
my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/');
my $salt = '';
for ( my $i=0 ; $i < 8 ; ++$i ) {
$salt .= $saltchars[rand(64)];
}
# Crypt the password.
my $cryptedpassword = crypt($password, $salt);
# Return the crypted password.
return $cryptedpassword;
}
sub bz_crypt2 {
my ($password, $salt) = @_;
if (!defined $salt) {
my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/');
$salt = '';
for ( my $i=0 ; $i < 8 ; ++$i ) {
$salt .= $saltchars[rand(64)];
}
}
# Crypt the password.
my $cryptedpassword = crypt($password, $salt);
# Return the crypted password.
return $cryptedpassword;
}
my ($pwd, $salt) = ($ARGV[0], $ARGV[1]);
# Detaint the password, but leave the salt tainted.
$pwd =~ /^(.*)$/;
$pwd = $1;
# Tainted salt, so the encrypted password should be tainted too.
my $crypted = bz_crypt2($pwd, $salt);
print "crypted is tainted? " . (is_tainted($crypted) ? "yes" : "no") . "
(expected: yes)\n";
# Detainted password, so the encrypted password should not be tainted.
my $crypted2 = bz_crypt($pwd);
print "crypted2 is tainted? " . (is_tainted($crypted2) ? "yes" : "no") .
" (expected: no)\n";
# Detainted password, so the encrypted password should not be tainted.
my $crypted3 = bz_crypt2($pwd);
print "crypted3 is tainted? " . (is_tainted($crypted3) ? "yes" : "no") .
" (expected: no)\n";
---
Flags:
category=core
severity=high
---
Site configuration information for perl 5.10.0:
Configured by Mandriva at Thu Sep 18 16:39:24 EDT 2008.
Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
Platform:
osname=linux, osvers=2.6.22.18-server-1mdv,
archname=i386-linux-thread-multi
uname='linux n2.mandriva.com 2.6.22.18-server-1mdv #1 smp mon feb 11
16:46:24 est 2008 i686 intel(r) xeon(tm) cpu 2.80ghz gnulinux '
config_args='-des -Dinc_version_list=5.8.8 5.8.7 5.8.6 5.8.5 5.8.4
5.8.3 5.8.2 5.8.1 5.8.0 5.6.1 5.6.0 -Darchname=i386-linux -Dcc=gcc
-Doptimize=-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer
-march=i586 -mtune=generic -fasynchronous-unwind-tables -DDEBUGGING=-g
-Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr
-Dsitebin=/usr/local/bin -Dsiteman1dir=/usr/local/share/man/man1
-Dsiteman3dir=/usr/local/share/man/man3 -Dman3ext=3pm -Dcf_by=Mandriva
-Dmyhostname=localhost -Dperladmin=root@localhost
-Dcf_email=root@localhost -Dd_dosuid -Ud_csh -Duseshrplib -Duseithreads
-Di_db -Di_ndbm -Di_gdbm'
hint=recommended, useposix=true, d_sigaction=define
useithreads=define, usemultiplicity=define
useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
use64bitint=undef, use64bitall=undef, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing
-pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-I/usr/include/gdbm',
optimize='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer
-march=i586 -mtune=generic -fasynchronous-unwind-tables',
cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe
-I/usr/local/include -I/usr/include/gdbm'
ccversion='', gccversion='4.3.2', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries:
ld='gcc', ldflags =' -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib
libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc
perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
libc=/lib/libc-2.8.so, so=so, useshrplib=true, libperl=libperl.so
gnulibc_version='2.8'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E
-Wl,-rpath,/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE'
cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -fomit-frame-pointer -march=i586
-mtune=generic -fasynchronous-unwind-tables -L/usr/local/lib'
Locally applied patches:
Mandriva Linux patches
---
@INC for perl 5.10.0:
/usr/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.10.0
/usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.10.0
/usr/lib/perl5/5.10.0/i386-linux-thread-multi
/usr/lib/perl5/5.10.0
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl
.
---
Environment for perl 5.10.0:
HOME=/root
LANG=fr_CH.UTF-8
LANGUAGE=fr_CH.UTF-8:fr
LC_ADDRESS=fr_CH.UTF-8
LC_COLLATE=fr_CH.UTF-8
LC_CTYPE=fr_CH.UTF-8
LC_IDENTIFICATION=fr_CH.UTF-8
LC_MEASUREMENT=fr_CH.UTF-8
LC_MESSAGES=fr_CH.UTF-8
LC_MONETARY=fr_CH.UTF-8
LC_NAME=fr_CH.UTF-8
LC_NUMERIC=fr_CH.UTF-8
LC_PAPER=fr_CH.UTF-8
LC_SOURCED=1
LC_TELEPHONE=fr_CH.UTF-8
LC_TIME=fr_CH.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/root/bin
PERL_BADLANG (unset)
SHELL=/bin/bash
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]