Skip Menu |
 

This queue is for tickets about the Data-FormValidator CPAN distribution.

Maintainer(s)' notes

This is the bug queue for Data::FormValidator.

Report information
The Basics
Id: 61792
Status: open
Priority: 0/
Queue: Data-FormValidator

People
Owner: MARKSTOS [...] cpan.org
Requestors: dam [...] cpan.org
dst [...] heise.de
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 4.65
Fixed in: (no value)



Download (untitled) / with headers
text/plain 752b
Hi, When untaint_all_constraints is used, D::F::Results reports an invalid field as valid. The content is the last successful regexp match, which may be absolutely unrelated to DFV. I reproduced the bug with the attached script using Perl 5.12.1 and DFV 4.66 on a Debian Lenny system. I believe the problem is in line 809 of D::F::Results: my ($match) = scalar ($val =~ $re); if ($untaint_this && defined $match) { # pass the value through a RE that matches anything to untaint it. my ($untainted) = ($& =~ m/(.*)/s); return $untainted; } The "scalar" has been added between 4.61 and 4.66. Even if $re does not match, the scalar returns a defined value, which leads into an old $& being used. Cheers, Dennis
Subject: dfvbug.pl
Download dfvbug.pl
text/x-perl 340b
#!/opt/perl/5.12/bin/perl use strict; use warnings; use Data::FormValidator; "some_unrelated_string" =~ m/^.*$/; my $profile = { untaint_all_constraints => 1, required => [qw(a)], constraint_methods => { a => qr/will_never_match/, }, }; my $results = Data::FormValidator->check({ a => 1 }, $profile); warn $results->valid('a');
Download (untitled) / with headers
text/plain 742b
On Thu Sep 30 05:58:50 2010, dst wrote: Show quoted text
> Hi, > > When untaint_all_constraints is used, D::F::Results reports an > invalid field as valid. The content is the last successful regexp > match, which may be absolutely unrelated to DFV. I reproduced > the bug with the attached script using Perl 5.12.1 and DFV 4.66 on > a Debian Lenny system. > > I believe the problem is in line 809 of D::F::Results: > > my ($match) = scalar ($val =~ $re); > if ($untaint_this && defined $match) { > # pass the value through a RE that matches anything to untaint it. > my ($untainted) = ($& =~ m/(.*)/s); > return $untainted; > }
Thanks for the report, Dennis. Do you have a suggested fix? Thanks, Mark Stosberg
Subject: _create_sub_from_RE untaints a previous $& when there is no match
Download (untitled) / with headers
text/plain 1.4k
Hi, Today I stumbled upon this bug. На Thu, 30 Sep 2010 18:05:00 +0300, MARKSTOS написа: Show quoted text
> On Thu Sep 30 05:58:50 2010, dst wrote:
> > When untaint_all_constraints is used, D::F::Results reports an > > invalid field as valid. The content is the last successful regexp > > match, which may be absolutely unrelated to DFV. I reproduced > > the bug with the attached script using Perl 5.12.1 and DFV 4.66 on > > a Debian Lenny system.
> > Thanks for the report, Dennis. > > Do you have a suggested fix?
... and I can suggest a fix. The following patch fixes the check for a successful match by dropping 'defined' from the =~ result. According to perlop, "When used in scalar context, the return value generally indicates the success of the operation." i.e. there is no indication that the result is undefined when there is no match, it is just a boolean result. Thanks for considering. --- a/lib/Data/FormValidator/Results.pm +++ b/lib/Data/FormValidator/Results.pm @@ -807,7 +807,7 @@ sub _create_sub_from_RE { # With methods, the value is the second argument my $val = $force_method_p ? $_[1] : $_[0]; my ($match) = scalar ($val =~ $re); - if ($untaint_this && defined $match) { + if ($untaint_this && $match) { # pass the value through a RE that matches anything to untaint it. my ($untainted) = ($& =~ m/(.*)/s); return $untainted;
Subject: Re: [rt.cpan.org #61792] _create_sub_from_RE untaints a previous $& when there is no match
Date: Tue, 07 Jun 2011 09:32:13 -0400
To: bug-Data-FormValidator [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Download (untitled) / with headers
text/plain 307b
Show quoted text
> ... and I can suggest a fix. The following patch fixes the check for a > successful match by dropping 'defined' from the =~ result.
Thanks. Would you also be willing to contribute a new test suite test which illustrates the bug, and confirm that all existing tests pass with the patch applied? Mark
CC: dst [...] heise.de
Subject: Re: [rt.cpan.org #61792] _create_sub_from_RE untaints a previous $& when there is no match
Date: Wed, 8 Jun 2011 22:35:12 +0300
To: "mark [...] summersault.com via RT" <bug-Data-FormValidator [...] rt.cpan.org>
From: Damyan Ivanov <dam [...] cpan.org>
Download (untitled) / with headers
text/plain 536b
-=| mark@summersault.com via RT, Tue, Jun 07, 2011 at 09:32:29AM -0400 |=- Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=61792 >
> > ... and I can suggest a fix. The following patch fixes the check > > for a successful match by dropping 'defined' from the =~ result.
> > Thanks. Would you also be willing to contribute a new test suite test > which illustrates the bug, and confirm that all existing tests pass with > the patch applied?
Sure, test attached. Without the patch it fails,; with the patch all tests pass. Cheers!

Message body is not shown because sender requested not to inline it.

Subject: Re: [rt.cpan.org #61792] _create_sub_from_RE untaints a previous $& when there is no match
Date: Wed, 08 Jun 2011 15:47:10 -0400
To: bug-Data-FormValidator [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Thanks! I'll take a look. Mark
Subject: untainting issue: CVE-2011-2201 (Stosberg connection)
Download (untitled) / with headers
text/plain 2.2k
I just noticed that "Dennis Stosberg" was reporter on this report. Hello there! If you didn't notice, my name is "Mark Stosberg". I think we are probably related. Here's the German site for the family, if you'd like to check: http://www.stammesverband-stursberg.com/ ### Separately, here's the patch that Fedora is using to address this bug. The patch and test look similar to what was already provided here. Now that I've updated to the subject to clearly note "CVE", this will be on my radar for a release soon. ### diff -up Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm --- Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig 2010-02-24 15:31:03.000000000 +0100 +++ Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm 2011-08- 28 08:26:22.000000000 +0200 @@ -807,7 +807,7 @@ sub _create_sub_from_RE { # With methods, the value is the second argument my $val = $force_method_p ? $_[1] : $_[0]; my ($match) = scalar ($val =~ $re); - if ($untaint_this && defined $match) { + if ($untaint_this && $match) { # pass the value through a RE that matches anything to untaint it. my ($untainted) = ($& =~ m/(.*)/s); return $untainted; diff -up Data-FormValidator-4.66/t/untaint_match_check.t.orig Data- FormValidator-4.66/t/untaint_match_check.t --- Data-FormValidator-4.66/t/untaint_match_check.t.orig 2011-08- 28 08:26:54.000000000 +0200 +++ Data-FormValidator-4.66/t/untaint_match_check.t 2011-08-28 08:26:30.000000000 +0200 @@ -0,0 +1,22 @@ +use strict; +use warnings; + +use Test::More tests => 3; + +use Data::FormValidator; + +"unrelated match" =~ /match/; + +my $result = Data::FormValidator->check( + { a => 'invalid value' }, # input data + { # validation profile + untaint_all_constraints => 1, + optional => ['a'], + constraints => { a => qr/never matches/, }, + }, +); + +ok( not $result->success ) + or diag( 'Valid: ', $result->valid ); +ok( $result->has_invalid ); +is_deeply( scalar($result->invalid), { 'a' => [ qr/never matches/ ] } );


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.