Skip to content

bugzilla
bugzilla
Commit 812ad9b3 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 471613: Replace Bugzilla::Util::is_tainted() by Scalar::Util::tainted() -…

Bug 471613: Replace Bugzilla::Util::is_tainted() by Scalar::Util::tainted() - Patch by Nitish Bezzala <nbezzala@yahoo.com> r/a=LpSolit
parent bf475be8
Hide whitespace changes
Inline Side-by-side
Showing with 3 additions and 21 deletions
Bugzilla/Install/Util.pm
View file @ 812ad9b3
...@@ -31,6 +31,7 @@ use Bugzilla::Constants; ...@@ -31,6 +31,7 @@ use Bugzilla::Constants;
use File::Basename; use File::Basename;
use POSIX qw(setlocale LC_CTYPE); use POSIX qw(setlocale LC_CTYPE);
use Safe; use Safe;
use Scalar::Util qw(tainted);
use base qw(Exporter); use base qw(Exporter);
our @EXPORT_OK = qw( our @EXPORT_OK = qw(
...@@ -109,7 +110,7 @@ sub install_string { ...@@ -109,7 +110,7 @@ sub install_string {
foreach my $key (@replace_keys) { foreach my $key (@replace_keys) {
my $replacement = $vars->{$key}; my $replacement = $vars->{$key};
die "'$key' in '$string_id' is tainted: '$replacement'" die "'$key' in '$string_id' is tainted: '$replacement'"
if is_tainted($replacement); if tainted($replacement);
# We don't want people to start getting clever and inserting # We don't want people to start getting clever and inserting
# ##variable## into their values. So we check if any other # ##variable## into their values. So we check if any other
# key is listed in the *replacement* string, before doing # key is listed in the *replacement* string, before doing
...@@ -354,10 +355,6 @@ sub trick_taint { ...@@ -354,10 +355,6 @@ sub trick_taint {
return (defined($_[0])); return (defined($_[0]));
} }
sub is_tainted {
return not eval { my $foo = join('',@_), kill 0; 1; };
}
__END__ __END__
=head1 NAME =head1 NAME
......
Bugzilla/Util.pm
View file @ 812ad9b3
...@@ -31,7 +31,7 @@ package Bugzilla::Util; ...@@ -31,7 +31,7 @@ package Bugzilla::Util;
use strict; use strict;
use base qw(Exporter); use base qw(Exporter);
@Bugzilla::Util::EXPORT = qw(is_tainted trick_taint detaint_natural @Bugzilla::Util::EXPORT = qw(trick_taint detaint_natural
detaint_signed detaint_signed
html_quote url_quote xml_quote html_quote url_quote xml_quote
css_class_quote html_light_quote url_decode css_class_quote html_light_quote url_decode
...@@ -56,16 +56,6 @@ use Digest; ...@@ -56,16 +56,6 @@ use Digest;
use Scalar::Util qw(tainted); use Scalar::Util qw(tainted);
use Text::Wrap; use Text::Wrap;
# This is from the perlsec page, slightly modified to remove a warning
# From that page:
# This function makes use of the fact that the presence of
# tainted data anywhere within an expression renders the
# entire expression tainted.
# Don't ask me how it works...
sub is_tainted {
return not eval { my $foo = join('',@_), kill 0; 1; };
}
sub trick_taint { sub trick_taint {
require Carp; require Carp;
Carp::confess("Undef to trick_taint") unless defined $_[0]; Carp::confess("Undef to trick_taint") unless defined $_[0];
...@@ -640,7 +630,6 @@ Bugzilla::Util - Generic utility functions for bugzilla ...@@ -640,7 +630,6 @@ Bugzilla::Util - Generic utility functions for bugzilla
use Bugzilla::Util; use Bugzilla::Util;
# Functions for dealing with variable tainting # Functions for dealing with variable tainting
$rv = is_tainted($var);
trick_taint($var); trick_taint($var);
detaint_natural($var); detaint_natural($var);
detaint_signed($var); detaint_signed($var);
...@@ -704,10 +693,6 @@ with care> to avoid security holes. ...@@ -704,10 +693,6 @@ with care> to avoid security holes.
=over 4 =over 4
=item C<is_tainted>
Determines whether a particular variable is tainted
=item C<trick_taint($val)> =item C<trick_taint($val)>
Tricks perl into untainting a particular variable. Tricks perl into untainting a particular variable.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment