Closed Bug 287926 Opened 20 years ago Closed 20 years ago

Something in Config.pm causes a taint problem in IO::Socket

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.19.2
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 287763

People

(Reporter: bugreport, Unassigned)

References

Details

Using Perl 5.8.0, if you run....

#!/usr/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#

use strict;
use lib ".";
require "CGI.pl";
#use Bugzilla::Config qw(:locations);


use Net::SMTP;
use IO::Socket;


it does not fail...

uncomment the Config.pm line, and it will not compile
With a clean 5.8.1 install (from source) with Bundle::CPAN and Date::Format
installed from CPAN, this can be reproduced.

Just to make this nice and strange, line 22 of Socket.pm is....
require IO::Socket::UNIX if ($^O ne 'epoc');

if I change that to...
#require IO::Socket::UNIX;

this starts to work
a version of bugzilla i checked out on feb 18th doesn't show this problem.
there's been a *lot* of work since then.
this is caused by bug 280778 -- one of mine :(

  choices => $^O =~ /MSWin32/i 
    ? ['smtp', 'testfile']
    : ['sendmail', 'smtp', 'qmail', 'testfile'],


i don't see how this caused the problem however.
Could that have taken $^O from untainted to tainted???  It might be worth
forcing it to be tainted or detainted and seeing if that makes the problem come
and go.

$^O is tainted after that call.  trick_taint'ing it at the end of defparams
fixes this issue.

however why is perl flagging $^O as tainted after that call when it's 100%
constants?
running defparams in isolation doesn't taint $^O..

use strict;
use Safe;

sub is_tainted {
    return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
}

printf "before: %s\n", is_tainted($^O) ? 'y' : 'n';

use vars qw(@param_list);

unless (my $ret = do 'defparams.pl') {
    die "Couldn't parse defparams.pl: $@" if $@;
    die "Couldn't do defparams.pl: $!" unless defined $ret;
    die "Couldn't run defparams.pl" unless $ret;
}

printf "after: %s\n", is_tainted($^O) ? 'y' : 'n';


i'm so confused.

*** This bug has been marked as a duplicate of 287763 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.