Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tainted filehandle read causes problems for downstream users #9

Open
jkeenan opened this issue May 18, 2014 · 3 comments
Open

Tainted filehandle read causes problems for downstream users #9

jkeenan opened this issue May 18, 2014 · 3 comments
Assignees
@karenetheridge

Comments

@jkeenan
Copy link

jkeenan commented May 18, 2014

This issue refers to the following ticket in the Perl 5 bug queue:
https://rt.perl.org/Ticket/Display.html?id=115370

And specifically to these two comments wherein I trace the OP's original problem to Module::Metadata:
https://rt.perl.org/Ticket/Display.html?id=115370#txn-1272193
https://rt.perl.org/Ticket/Display.html?id=115370#txn-1272238

To recap:

The relevant code is this part of cpan/Module-Metadata/lib/Module/Metadata.pm, starting at line 514 in the version in blead:

sub _parse_fh {
  my ($self, $fh) = @_;
...
  while (defined( my $line = <$fh> )) {

$line is being read from a filehandle and is, therefore, tainted at this point. It is eventually passed to Module::Metadata::_evaluate_version_line(), inside of which the eval string occurs, which is the point where the program fails due to the insecure dependency.

To resolve the problem in this ticket we would have to untaint $line after reading from the filehandle. Whether we should do that is something we'll have to discuss. Will ping the maintainer.

ISTR contacting Karen or someone else in Toolchain six months ago, but I could very well be mistaken about that. In any event, the problematic code can still be found in v0.22 of Module-Metadata. (v0.19 of Module-Metadata is the current version being distributed with Perl 5 core and will presumably go out with Perl 5.20.0 in the coming week.)

Can you investigate?

Thank you very much.
Jim Keenan
@karenetheridge
Copy link
Member

I think this would get resolved with the merge of #1 (when I resolve the outstanding issues), which reworks the version extraction logic.

@haarg
Copy link
Member

haarg commented May 19, 2014

#1 in its current state won't resolve this, but it would provide the foundation to do so.

@karenetheridge
Copy link
Member

The issue described in https://rt.perl.org/Ticket/Display.html?id=115370 was resolved with Module-Metadata-1.000017. However, given:

In any event, the problematic code can still be found in v0.22 of Module-Metadata.

I'm wondering if there is another issue still lingering? Do we have a repro case for that?

@karenetheridge karenetheridge self-assigned this Mar 20, 2015
@p5pRT p5pRT mentioned this issue Oct 19, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@karenetheridge karenetheridge

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@haarg @jkeenan @karenetheridge