Skip Menu |
 

This queue is for tickets about the Encode CPAN distribution.

Report information
The Basics
Id: 84879
Status: resolved
Priority: 0/
Queue: Encode

People
Owner: Nobody in particular
Requestors: Mark.Martinec [...] ijs.si
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in:
  • 2.35
  • 2.36
  • 2.37
  • 2.38
  • 2.39
  • 2.40
  • 2.41
  • 2.42
  • 2.43
  • 2.44
  • 2.45
  • 2.46
  • 2.47
  • 2.48
  • 2.49
Fixed in: (no value)



Subject: Encode::encode and Encode::decode gratuitously launders tainted data
Download (untitled) / with headers
text/plain 1.4k
The result of Encode::encode or Encode::decode is not tainted, even if given a tainted argument. There is no excuse for such gratuitous laundering of data. It subverts usefulness of Perl taint protection mechanism and can open security holes in applications using Encode which are unaware of this bug (here is one example: [rt.cpan.org #82294]). The bug is not new and is not specific to recent versions of perl or versions of the module Encode (tested with Encode 2.49, 2.44, 2.42, 2.35, ...). Some more security conscious existing applications are already jumping hoops providing a workaround, but this is not something which an application should be required to do. The following test program illustrates the problem: #!/usr/bin/perl -T use strict; use Encode qw(encode decode); use Scalar::Util qw(tainted); printf("Encode %s\n", Encode->VERSION); my $str = "abc" . substr($ENV{PATH},0,0); # tainted string my $r; $r = encode("ASCII", $str); warn "encode laundering\n" if tainted($str) && !tainted($r); $r = encode("UTF-8", $str); warn "encode laundering\n" if tainted($str) && !tainted($r); $r = decode("ISO-8859-1", $str); warn "decode laundering\n" if tainted($str) && !tainted($r); There is a related PR 64642 (Tainted values have the taint flag cleared when encoded), which addresses only the encoding half of the problem. It is disheartening that it is labeled under severity "wishlist", where in fact it is genuine security issue. As the Encode is a core module, this issue is also tracked as [perl #117771].
Download (untitled) / with headers
text/plain 1.9k
No excuse. Just fixes. Should be complete since all supported encodings are checked in t/taint.t https://github.com/dankogai/p5-encode/commit/a352ec9d6e5e4bcdd6dde737c8a540774d87b26e https://github.com/dankogai/p5-encode/commit/274673c289e7615e12e642ca54e48d8aac9d82db Thank you for your report. Dan the Maintainer Thereof On Fri Apr 26 13:37:26 2013, Mark.Martinec@ijs.si wrote: Show quoted text
> The result of Encode::encode or Encode::decode > is not tainted, even if given a tainted argument. > > There is no excuse for such gratuitous laundering > of data. It subverts usefulness of Perl taint > protection mechanism and can open security holes > in applications using Encode which are unaware of > this bug (here is one example: [rt.cpan.org #82294]). > > The bug is not new and is not specific to recent > versions of perl or versions of the module Encode > (tested with Encode 2.49, 2.44, 2.42, 2.35, ...). > > Some more security conscious existing applications > are already jumping hoops providing a workaround, > but this is not something which an application > should be required to do. > > The following test program illustrates the problem: > > > #!/usr/bin/perl -T > use strict; > use Encode qw(encode decode); > use Scalar::Util qw(tainted); > > printf("Encode %s\n", Encode->VERSION); > > my $str = "abc" . substr($ENV{PATH},0,0); # tainted string > my $r; > > $r = encode("ASCII", $str); > warn "encode laundering\n" if tainted($str) && !tainted($r); > > $r = encode("UTF-8", $str); > warn "encode laundering\n" if tainted($str) && !tainted($r); > > $r = decode("ISO-8859-1", $str); > warn "decode laundering\n" if tainted($str) && !tainted($r); > > > There is a related PR 64642 (Tainted values have the taint flag > cleared when encoded), which addresses only the encoding half > of the problem. It is disheartening that it is labeled under > severity "wishlist", where in fact it is genuine security issue. > > As the Encode is a core module, this issue is also tracked > as [perl #117771].
Subject: Re: [rt.cpan.org #84879] Resolved: Encode::encode and Encode::decode gratuitously launders tainted data
Date: Fri, 26 Apr 2013 21:01:06 +0200
To: bug-Encode [...] rt.cpan.org
From: Mark Martinec <Mark.Martinec [...] ijs.si>
Download (untitled) / with headers
text/plain 235b
Dan, Show quoted text
> No excuse. Just fixes. Should be complete since all > supported encodings are checked in t/taint.t > https://github.com/dankogai/p5... > Thank you for your report.
A blazingly fast response, amazing! Big thanks!!! Mark


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.