File Coverage

Taint.pm

Criterion	Covered	Total	%
statement	109	123	88.6
branch	38	52	73.0
condition	5	9	55.5
subroutine	21	21	100.0
pod	11	11	100.0
total	184	216	85.1

line	stmt	bran	cond	sub	pod	time	code
1							package Taint;
2
3							# See docs at end for author and copyright info
4
5							=head1 NAME
6
7							Taint - Perl utility extensions for tainted data
8
9							=head1 SYNOPSIS
10
11							use Taint;
12							warn "Oops"
13							if tainted $num, @ids; # Test for tainted data
14							kill $num, @ids; # before using it
15
16							use Carp;
17							use Taint;
18							sub baz { croak "Insecure request" if tainted @_; ... }
19
20							use Taint qw(taint);
21							taint @list, $item; # Intentionally taint data
22
23							use Taint qw(:ALL);
24							$pi = 3.14159 + tainted_zero; # I don't trust irrational numbers
25
26							=head1 DESCRIPTION
27
28							Perl has the ability to mark data as 'tainted', as described in
29							L. Perl will prevent tainted data from being used for
30							some operations, and you may wish to add such caution to your own
31							code. The routines in this module provide convenient ways to taint
32							data and to check data for taint. To remove the taint from data,
33							use the method described in L, or use the make_extractor
34							routine.
35
36							Please read L and L.
37
38							=head1 ROUTINES
39
40							=over 5
41
42							=cut
43
44							require 5.004;
45	4			4		2703	use strict;
	4					6
	4					154
46	4					3801	use vars qw(
47							$VERSION
48							$DEBUGGING
49							@ISA
50							@EXPORT @EXPORT_OK %EXPORT_TAGS
51	4			4		34	);
	4					6
52							my %insanity;
53							my %no_taint_okay;
54
55							require Exporter;
56
57							@ISA = qw(Exporter);
58
59							@EXPORT = qw(tainted);
60
61							@EXPORT_OK = qw(
62							taint
63							is_tainted any_tainted all_tainted taintedness
64							make_extractor
65							tainted_null tainted_zero taint_checking
66							);
67
68							# Installer's option:
69							# Use 1 for normal operation, 0 to disable the ability to
70							# use the unconditional untainting code from this module.
71							# Edit with care: This is a machine-editable line.
72							sub allowing_insanity () { 1 } # Default is 1.
73							# This constant sub is for internal (testing) use only.
74							# It's not documented or intended for outside use.
75
76							# The pseudo-tag ALL does not include unconditional_untaint. That
77							# must be explicitly imported, in a special way. Don't bother. Use
78							# the untainting methods described in the perlsec(1) manpage, or use
79							# make_extractor.
80
81							%EXPORT_TAGS = ( ALL => [ @EXPORT, @EXPORT_OK ] );
82
83							$VERSION = '0.09';
84
85							BEGIN {
86	4			4		8	my $saved_warnings;
87							BEGIN {
88	4			4		14	$saved_warnings = $^W;
89	4					324	$^W = 0; # No warnings while compiling this sub
90							}
91	4					3539	$^W = $saved_warnings;
92
93							# A note to the worried, curious, or paranoid:
94							#
95							# This sub does _not_ actually kill anything. The signal
96							# 0 is actually a fake signal which doesn't get sent, and
97							# which wouldn't do anything if it were sent. And besides,
98							# we never send it anywhere, since there are no process ids
99							# being passed to kill.
100							#
101							# Here's how it works:
102							# First, join unites the arguments, then they are silently
103							# discarded by the comma operator. Next, Perl tries to do
104							# a harmless kill 0. Kill refuses to work if there are any
105							# tainted data being used in the same statement. So, either
106							# the eval aborts (returning undef), or it succeeds, and
107							# returns 1. That return value is inverted by the not
108							# operator, thus making the function return value. Ta da!
109							#
110							sub any_tainted (@) {
111	129			129	1	654	local(@_, $@, $^W) = @_; # Prevent errors, stringifying
112	129					445	not eval { join("",@_), kill 0; 1 };
	129					3573
	40					802
113							}
114							}
115
116							# Just a different prototype
117							sub is_tainted ($) {
118	101			101	1	411	goto &any_tainted;
119							}
120
121							sub all_tainted (@) {
122	10	100		10	1	25	for (@_) { return unless is_tainted $_ }
	35					66
123	5					20	1;
124							}
125
126							sub tainted (@) {
127	11			11	1	745	goto &any_tainted;
128							}
129
130							=item tainted LIST
131
132							=item is_tainted EXPR
133
134							=item any_tainted LIST
135
136							=item all_tainted LIST
137
138							Test one or more items for taint. C is an alias for
139							C, provided for convenience. (Also, C is
140							exported by default.) C is prototyped to take a B
141							scalar> argument, the others take lists. (If you're not sure which
142							one to use, use C.) When taint checks are off, these always
143							return false.
144
145							=cut
146
147							sub taintedness (@) {
148							# Could do this with C,
149							# but that's buggy through 5.004_03.
150	5	100		5	1	16	any_tainted(@_) ? tainted_null() : '';
151							}
152
153							=item taintedness LIST
154
155							This is a utility function, mostly useful for authors of subroutines
156							in modules. It is possible that an algorithm, by its nature, doesn't
157							propagate taintedness as it should. This routine returns the
158							taintedness of its parameters in the form of a null string which
159							is either tainted or not. (When taint checking is off, the return
160							value is always an untainted null string.) That string may be (for
161							example) appended to a return value to taint it if needed.
162
163							sub frobnicate {
164							my($taintedness) = taintedness @_; # save it
165							# ...do some stuff which may or may not
166							# properly propagate taint...
167							return undef if $you_want_to;
168							return $taintedness . $return_value; # restore it
169							}
170
171							=cut
172
173							BEGIN {
174							# Before anything else, we need to get a little
175							# taint on our taintbrush.
176	4			4		8	my $TAINT;
177							{
178							# Let's try the easy way first. Either of these should be
179							# tainted, unless somebody has untainted them, so this
180							# will almost always work on the first try.
181							# (Unless, of course, taint checking has been turned off!)
182	4					14	$TAINT = substr("$0$^X", 0, 0);
	4					33
183	4	100				16	last if is_tainted $TAINT;
184
185							# Let's try again. Maybe somebody cleaned those.
186	1					15	$TAINT = substr(join("", @ARGV, %ENV), 0, 0);
187	1	50				4	last if is_tainted $TAINT;
188
189							# Oh, a wise guy, eh?
190	1					2	local(*FOO);
191	1					2	my $data = '';
192	1					22	for (qw(/dev/null / . ..), values %INC, $0, $^X) {
193							# Why so many? Maybe a file was just deleted or moved;
194							# you never know! :-) At this point, taint checks
195							# are probably off anyway, but this is the ironclad
196							# way to get tainted data if it's possible.
197							# (Yes, even reading from /dev/null works!)
198							#
199	1	50	33			94	last if open FOO, $_
200							and defined sysread FOO, $data, 1
201							}
202							# Assume one of them succeeded. We need only one!
203	1					2	$TAINT = substr($data, 0, 0);
204	1					11	close FOO;
205							}
206
207							# Sanity check
208	4	50				37	die "Internal error. Oops!" if length $TAINT;
209
210							# A tainted zero
211	4					25	my $TAINT0 = 0+"0$TAINT";
212
213							sub taint (@) {
214	11	50		11	1	320	return unless taint_checking();
215	11					30	for (@_) {
216	34	100				68	next if not defined;
217	33	50				134	next if ref;
218							# Taint tied objects by method, if possible
219	33	100				129	if (defined(my $thingy = tied $_)) {
220	2	50				19	if ($thingy->can('TAINT')) {
221	2					7	$thingy->TAINT(1);
222	2					19	next;
223							}
224							}
225	31					78	eval {
226	31	100				72	if ( not $_ & '00' \| '00' ) {
227							# Must already be a number,
228							# so don't stringify it now
229	23					46	$_ += $TAINT0;
230							} else {
231	8					20	$_ .= $TAINT;
232							}
233							};
234	31	50				158	if ($@ =~ /read-only/) {
		50
235	0					0	require Carp;
236	0					0	&Carp::carp("Attempt to taint read-only value");
237							} elsif ($@) {
238	0					0	require Carp;
239	0					0	&Carp::carp("Unexpected error: $@");
240							}
241							}
242	11					28	return; # explicitly, no return value
243							}
244
245							=item taint LIST
246
247							If taint checks are turned on, marks each (apparently) taintable
248							argument in LIST as being tainted. (References and C are
249							never taintable and are left unchanged. Some Cd and magical
250							variables may fail to be tainted by this routine, try as it may.)
251
252							To taint (the values of) an entire hash, use this idiom.
253
254							taint @hash{ keys %hash }; # taint values of %hash
255
256							=cut
257
258							# The following subs are inlineable constants
259							# because their values have no outside refs
260							# (That's why the extra scopes.)
261							{
262	4					15	my $taint = $TAINT;
	4					16
263	16			16	1	346	sub tainted_null () { $taint } # a tainted null string
264							}
265							{
266	4					6	my $taint = $TAINT0;
	4					25
267	3			3	1	16	sub tainted_zero () { $taint } # a tainted zero
268							}
269
270							=item tainted_null
271
272							=item tainted_zero
273
274							If you'd rather taint your data yourself, these constants will let
275							you do it. C is a tainted null string, which may be
276							appended to any data to taint it. (Of course, that will also
277							stringify the data, if needed.) C is (surprise) a
278							tainted zero, which may be added to any number to taint it. Note
279							that when taint checking is off, nothing can be tainted, so then
280							these are merely mundane C<''> and C<0> values.
281
282							=cut
283
284							# This one is inlineable as well
285							{
286	4					9	my $taint_checking = is_tainted $TAINT;
	4					10
287	13			13	1	91	sub taint_checking () { $taint_checking }
288							}
289
290							=item taint_checking
291
292							This constant tells whether taint checks are in use. This is
293							usually only useful in connection with the allow_no_taint option
294							(see L).
295
296							print LOG "Warning: Taint checks not enabled\n"
297							unless taint_checking;
298
299							=cut
300
301							}
302
303							# Private stuff for _display_pattern
304							{
305							my @map; # for converting a pattern to
306							# the usual form, more or less.
307							sub _display_pattern ($) {
308	1			1		2	my $pattern = shift;
309							# Make the map, if we have to
310	1	50				4	unless (@map) {
311	1					5	for (0..0x1f, 0x7f..0xff) { # defaults
312	161					512	$map[$_] = '\\x' . sprintf '%02x', $_;
313							}
314	1					5	for (0x20..0x7e) { # printables
315	95					226	$map[$_] = chr;
316							}
317	1					3	$map[ord("\n")] = '\\n';
318	1					2	$map[ord("\t")] = '\\t';
319	1					3	for (qw( / $ @ )) { # backwhackables
320	3					11	$map[ord] = '\\' . $_;
321							}
322							}
323							# We want to display the poor user's pattern in the way
324							# they're used to seeing it...
325							# ...more or less. If this prints out '\-', that might
326							# not do what a real \- would. But there's no way to be
327							# sure to get it right, really, without parsing the
328							# (possibly invalid) regexp. :-(
329	1					22	my $copy =
330							join '', # Glue together
331							map $map[ord], # a string representing
332							split //, # each character
333							$pattern; # in the pattern
334	1					11	require Carp;
335	1					268	&Carp::carp("Pattern was /$copy/o");
336							}
337							}
338
339							sub make_extractor ($) {
340	4			4	1	85	my $pattern = shift;
341							# We could allow $pattern to be tainted, but we shouldn't.
342							# (The contents of $pattern can't break anything, even
343							# if it's not a valid regexp. It may die, but not break.)
344	4	50				10	if (is_tainted $pattern) {
345	0					0	require Carp;
346	0					0	&Carp::croak("Can't make code from tainted string '$pattern'");
347							}
348	4	100				16	_display_pattern $pattern if $DEBUGGING;
349	4					662	my $sub = eval q{ # Yes, a single-quote eval!
350							my $sub = sub {
351							my @list;
352							for (@_) {
353							push @list, ($_ =~ /$pattern/o);
354							}
355							wantarray ? @list : $list[0]; # return value
356							};
357							&$sub('dummy parameter'); # catch bad patterns
358							$sub; # return value from eval
359							};
360	4	100				21	if ($@) {
361	1					5	$@ =~ s/ at $eval \d+$ line \d+\.\n?$//;
362	1					7	require Carp;
363	1					176	&Carp::croak($@);
364							}
365	3					13	$sub; # return value
366							}
367
368							=item make_extractor EXPR
369
370							This routine returns a coderef for a subroutine which untaints its
371							arguments according to the pattern passed in the string EXPR.
372							Although the argument to this routine must be untainted, the
373							arguments to the generated code may be tainted or not. When taint
374							checking is off, this routine and its generated code behave in
375							essentially the same way, even though neither their parameters nor
376							return values are tainted.
377
378							B: When untainting data, it's often easier to use the method
379							described in L, especially if you're unfamiliar with
380							constructing strings to be used as regular expressions.
381
382							Here's one way this routine might be used. This example is part of
383							a server (similar in some ways to B; see L)
384							which, when given a username, runs the Unix C command, extracts
385							and untaints some information about that user, and reports it. Note
386							that the regular expression is compiled just once, (within the
387							C routine) even though the username may change
388							every time through the main loop.
389
390							while () { # The server runs in an infinite loop
391							my $username = &get_next_request;
392							# $username must already be untainted! (But let's not
393							# assume it doesn't have metacharacters, even though
394							# Unix usernames can't have any.)
395							my $pattern =
396							'^' .
397							quotemeta($username) .
398							'\s+(\S+)\s+(.+)$';
399							my $get_who = make_extractor $pattern;
400
401							my %info = ();
402							for (`who`) {
403							# $_ has lines of tainted information
404							my($tty, $date) = &$get_who($_);
405							# but $tty and $date are untainted
406							$info{$tty} = $date;
407							}
408							# %info now has untainted information
409							...
410							}
411
412							Any items which need to be extracted should be within memory parens.
413							Because of that, the string should normally have at least one set
414							of memory parens. The pattern will be applied to each of the
415							arguments in turn, returning a list of all matched items in memory
416							parens. Any arguments which fail to match will add no items to the
417							list. If called in a scalar context, the generated sub will return
418							just the first untainted item in the list. No locale is used; see
419							L.
420
421							Note that the pattern may need to be written a little differently
422							than usual, since it's going to be passed as a string. For example,
423							it's not necessary to backwhack forward slashes in the pattern,
424							since those aren't regexp metacharacters. Also, if the pattern is
425							built up in an expression, it's important that the components all
426							be untainted! And, of course, it needs to be a valid regular
427							expression; otherwise, it causes an immediate error which may
428							be trapped with C.
429
430							For a case-insensitive match, which would usually be indicated with
431							the C modifier, use the embedded C<(?i)> modifier, as described
432							in L. The other embeddable modifiers also work.
433
434							If the pattern contains backslashes, as many do, it is especially
435							problematic. For example, these attempts to make a pattern aren't
436							doing what they might look like.
437
438							$pattern1 = "(\w+)"; # effectively /(w+)/
439
440							$pattern2 = '\Q' . $foo; # doesn't use quotemeta
441
442							Usually, though, single quotes will do what you expect (and double
443							quotes will confuse you). To help in debugging, you may set
444							C<$Taint::DEBUGGING = 1> before calling make_extractor, which will
445							produce an allegedly-helpful debugging message as a warning. This
446							message will have a form of the regular expression passed, like
447							C for C<$pattern1> above.
448
449							=cut
450
451							sub import {
452	6			6		40	my $class = shift;
453	6					7	my @importables;
454	6					221	my $pkg = caller;
455	6					14	for (@_) {
456	7	100				368	if ($_ eq 'unconditional_untaint') {
		100
457	1	50				6	unless ($insanity{$pkg}) {
458	0					0	require Carp;
459	0					0	&Carp::croak("Wrong way to import unconditional_untaint()");
460							}
461	1					191	my $name = "${pkg}::unconditional_untaint";
462	4			4		31	no strict 'refs';
	4					22
	4					1691
463	1	50				8	if (defined &$name) {
464	0					0	require Carp;
465	0					0	&Carp::croak("Can't redefine &$name");
466							}
467							# Okay, you want it, you got it.
468	1					7	*{$name} = sub {
469							#
470							# This routine is provided on the long-established
471							# Perlian principle that, if you really want it, you
472							# should always be given enough rope to shoot yourself
473							# in the foot.
474							#
475							# Besides, if this routine wasn't here, some fool would
476							# write it up, do it badly, document it worsely, and
477							# then print it in a book which would continue to
478							# haunt us for the next decade. (It's happened
479							# before. Remember 'getgrid'? And the bad methods
480							# some books still use instead of using CGI.pm?)
481							#
482							# If you really want to use this, you lunatic, first put
483							# "no Taint 'sanity';" into your code. This will show
484							# other programmers that you have an odd number of bits
485							# per byte, and they will shun you.
486							#
487							# You have been warned.
488							#
489							# (If you haven't heard by now, the real way to untaint
490							# is described in the perlsec man pages. Doing it this
491							# way is foolish. There's no point in using taint
492							# checking at all if you'll do things like this. But,
493							# hey, it's your funeral.)
494							#
495							# On the other hand, if you've gotten this far, maybe
496							# you should consider a different line of work, such
497							# as a opening a turnip-polishing franchise
498							# or becoming a galley slave.
499							#
500							# You should know that whoever installed this module
501							# may have disabled this routine. That person may
502							# be smarter than you, and secretly laughing at
503							# you now. If I were you, I'd go read the perlsec
504							# manpage. Or at least a good Dilbert book.
505							#
506							# I can't put this off any longer, no matter how
507							# hard I try...
508							#
509	2			2		4	for (@_) {
510	11	100	66			24	$_ = $1 if is_tainted $_ and /^(.*)$/s
511							}
512	2					5	return; # explicitly returns nothing
513	1					199	};
514
515							=item unconditional_untaint LIST
516
517							By unpopular request, this routine is included. Don't use it. Use
518							the method described in L instead. You'd have to be crazy
519							to use this routine. (If you are, read the module itself to see
520							how to enable it. I'm not gonna tell you here.)
521
522							Given a list of possibly tainted B, this untaints each of them
523							without any regard for whether they should be untainted or not.
524
525							=cut
526
527							} elsif ($_ eq 'allow_no_taint') {
528	1					3	$no_taint_okay{$pkg} = 1;
529							} else {
530	5					16	push @importables, $_;
531							}
532							}
533	6	100				53	return unless @importables;
534	5	50	66			63	unless ($no_taint_okay{$pkg} or is_tainted tainted_null) {
535							# What happened? Probably somebody forgot to use -T,
536							# or they thought their script would be setuid/setgid.
537	0					0	warn "Hmmm... Tainting doesn't seem to be turned on.\n";
538	0					0	warn "Did you forget to use the -T invocation option?\n";
539	0					0	require Carp;
540	0					0	&Carp::croak("Taint checks not enabled");
541							}
542	5					14	local($Exporter::ExportLevel) = 1;
543	5					6066	SUPER::import $class @importables;
544							}
545
546							=item allow_no_taint
547
548							By default, importing symbols from this module requires taint checks
549							to be turned on. If you wish to use this module without requiring
550							taint checking (for example, if writing a module which may or may
551							not be run under C<-T>) either import this pseudo-item...
552
553							use Taint qw(allow_no_taint); # allow to run without -T
554							use Taint; # default import list
555
556							or avoid importing any symbols by explicitly passing an empty import
557							list.
558
559							use Taint (); # importing no symbols
560
561							If you use either of these methods to allow taint checks not to be
562							required, you may want to use the constant C (see
563							L) to determine whether checks are on.
564
565							It may be helpful to allow checks to be off during development,
566							but be sure to require them after release!
567
568							=cut
569
570							# This is the fake sub! (But you would have figured that
571							# out for yourself.)
572							sub unconditional_untaint (@) {
573	1			1	1	13	require Carp;
574	1					248	&Carp::carp("sub unconditional_untaint() not properly imported");
575							}
576
577							sub unimport {
578	1			1		4098	my $class = shift;
579	1					894	my $pkg = caller;
580	1					6	for (@_) {
581	1	50				173	if ($_ eq 'sanity') {
582	1					2	if (allowing_insanity) {
583	1					171	$insanity{$pkg} = 1;
584							} else {
585							require Carp;
586							&Carp::croak("Disabled option requested");
587							}
588							} else {
589							# Simply ignore other unimports
590							}
591							}
592							}
593
594							1;
595							__END__