Skip Menu |

This queue is for tickets about the URI CPAN distribution.

Report information
The Basics
Id: 52707
Status: new
Priority: 0/
Queue: URI

Owner: Nobody in particular
Requestors: scop [...]

Bug Information
Severity: (no value)
Broken in: 1.51
Fixed in: (no value)

Subject: URI::host may return tainted data when called for the first time
Download (untitled) / with headers
text/plain 2.4k
I'm trying to track down an obscure taint mode issue, probably in URI. In short, for a URI object that had an explicit port in the string it was constructed from, the first time $uri->host() is called it sometimes (!) returns tainted data, and non-tainted when called again after that. When it happens, it happens even if the string the URI was constructed from was not tainted. I've tracked it deep down in URI::_server::host. The line that causes it is: $old =~ s/:\d+$//; # remove the port If I replace the \d with [[:digit:]] or [0-9] or \w or . , the problem does not occur. Longer explanation: This occurs with the W3C Markup Validator when validating some HTML 5 documents and when configured to POST the HTML 5 document to an external HTML 5 validator using a URI that has a port. The issue is that for some retrieved documents, the POST fails with "500 Insecure dependency in connect while running with -T switch". I am very confused about this, because it happens only for *some* validated documents, not all. I don't see how the contents of the validated (internally POSTed to the HTML 5 validator URL) documents would be relevant. They're all POSTed to the same URL/host/port. I have also failed to create a small reproducer, but using this version of the markup validator: , configured to POST the HTML 5 markup to for example to or , and validating the document at the problem occurs on two different systems I have access to. As said it does not happen with all documents, for example validating the content at instead of http://htmlex.met.xz/ it does not happen. Also it does not happen if the HTML 5 validator where the content is POSTed is configured to be (without the :80 in the URL). I have found a couple of different workarounds, for none of which I can tell why exactly they work around the issue, but they do: a) Using $url->query("out=xml") instead of $url->query_form(out => "xml") in html5_validate() (around line 1167) in the validator code (see above URL). b) Placing a throwaway $uri->host() call after the query_form in the validator code in html5_validate() (again, see above URL). The string $CFG->{External}->{HTML5} from which the URI object is created is not tainted.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to