Red Hat Bugzilla – Bug 692844
lc launders tainted flag
Last modified: 2011-04-01 10:42:06 EDT
perlsec manual states:
> Laundering data using regular expression is the _only_ mechanism for
> untainting dirty data, [...]
However perl-5.12.3-142.fc14.x86_64 clears tainted flag even after lc() and uc() perl functions:
$ perl -Te 'use Scalar::Util qw(tainted); printf("%d %d %d\n", tainted($0), tainted(lc($0)), tainted(uc($0)));'
1 0 0
This has been recognized by upstream as a security regression and fixed in forthcoming perl-5.14 (RT #87336).
*** This bug has been marked as a duplicate of bug 692898 ***