diff options
author | Joey Hess <joey@kodama.kitenet.net> | 2008-01-05 01:29:27 -0500 |
---|---|---|
committer | Joey Hess <joey@kodama.kitenet.net> | 2008-01-05 01:29:27 -0500 |
commit | f51e47d7f9b0dbc1fe8c356acadbf5ef2da227af (patch) | |
tree | 1def260e13c89af24cd6685663cc5c9f58720efe /doc/bugs/taint_issue_with_regular_expressions.mdwn | |
parent | 9f2b52cdb0066292b65e226e32fff698393f294a (diff) | |
parent | f9fa96ded77418851da8b094f73c25dbde8a9714 (diff) |
Merge branch 'master' of ssh://git.kitenet.net/srv/git/ikiwiki.info
Diffstat (limited to 'doc/bugs/taint_issue_with_regular_expressions.mdwn')
-rw-r--r-- | doc/bugs/taint_issue_with_regular_expressions.mdwn | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/bugs/taint_issue_with_regular_expressions.mdwn b/doc/bugs/taint_issue_with_regular_expressions.mdwn new file mode 100644 index 000000000..174b4f1c5 --- /dev/null +++ b/doc/bugs/taint_issue_with_regular_expressions.mdwn @@ -0,0 +1,9 @@ +Built from 2.1.17 source, works fine on commandline, but not working from CGI wrapper. Traced problem to regular expressions failing to match, specifically in contexts like the following in Render.pm: + + my ($f)=/$config{wiki_file_regexp}/; # untaint + +It works if I replace it with: + + my ($f)=/(^[-[:alnum:]_.:\/+]+$)/; # untaint + +which is exactly the same regular expression drawn out as a constant. It appears that %config gets some tainted data and is itself being marked entirely tainted, which may prevent using regular expressions contained in it for untainting other data. I'm using Perl 5.8.8. |