Item2091: Enabling LINKTOOLTIPINFO causes taint error

pencil
Priority: Urgent
Current State: Closed
Released In: 1.0.7
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: KennethLavrsen
Waiting For:
Last Change By: KennethLavrsen
Enabling LINKTOOLTIPINFO causes taint error

problem is related to locale combined with converting characters to upper case.

Depending on your perl version you may require $ENV{FOSWIKI_ASSERTS} = 1; to be uncommented in bin/LocalLib.cfg to see this. But potentially it will also fail in normal non debug mode.

-- KennethLavrsen - 17 Sep 2009

This only manifests if taint checking is enabled with ASSERTS on, so arguably it's not a release blocker. However it makes it really hard to debug if turning on asserts causes loads of taint errors!

There are a number of possible solutions to this problem. perllocale tells use that:
  • Case-mapping interpolation (with \l, \L, \u or \U)

    Result string containing interpolated material is tainted if use locale is in effect.

  • Matching operator (m//):

    Subpatterns, either delivered as a list-context result or as $1 etc. are tainted if use locale is in effect, and the subpattern regular expression contains \w (to match an alphanumeric character), \W (non-alphanumeric character), \s (whitespace character), or \S (non whitespace character). The matched-pattern variable, $&, $` (pre-match), $' (post-match), and $+ (last match) are also tainted if use locale is in effect and the regular expression contains \w, \W, \s, or \S.

  • Substitution operator (s///):

    Has the same behavior as the match operator. Also, the left operand of =~ becomes tainted when use locale in effect if modified as a result of a substitution based on a regular expression match involving \w, \W, \s, or \S; or of case-mapping with \l, \L,\u or \U.

  • Case-mapping functions (lc(), lcfirst(), uc(), ucfirst()):

    Results are tainted if use locale is in effect.

There is no substitute for manual verification of the code for all these cases, unfortunately, as any of them can untaint data. Fortunately I did most of this manual verification during the run up to 1.0.6, and only missed (I hope) LINKTOOLTIPINFO, which I never use so didn't test. Unfortunately this once again points to how essential it is to manually test some of these weirder and less used options.

I think it's sufficient to fix the cases in the LINKTOOLTIPINFO flow where case conversion causes filename taints by using a Sandbox::untaintUnchecked. But I suspect there are other places in the code where these taint errors are lurking.

-- CrawfordCurrie - 18 Sep 2009

ItemTemplate edit

Summary Enabling LINKTOOLTIPINFO causes taint error
ReportedBy KennethLavrsen
Codebase
SVN Range Foswiki-1.0.6, Sun, 21 Jun 2009, build 4272
AppliesTo Engine
Component
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:ebd7d951aac0 distro:40895c0028ad
TargetRelease patch
ReleasedIn 1.0.7
Topic revision: r6 - 20 Sep 2009, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy