Bug 692844 - lc launders tainted flag
Summary: lc launders tainted flag
Status: CLOSED DUPLICATE of bug 692898
Alias: None
Product: Fedora
Classification: Fedora
Component: perl
Version: 14
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Marcela Mašláňová
QA Contact: Fedora Extras Quality Assurance
URL: http://rt.perl.org/rt3//Public/Bug/Di...
Depends On:
TreeView+ depends on / blocked
Reported: 2011-04-01 10:54 UTC by Petr Pisar
Modified: 2011-04-01 14:42 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 692862 (view as bug list)
Last Closed: 2011-04-01 14:42:06 UTC
Type: ---

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
CPAN 87336 0 None None None Never

Description Petr Pisar 2011-04-01 10:54:36 UTC
perlsec manual states:

> Laundering data using regular expression is the _only_ mechanism for
> untainting dirty data, [...]

However perl-5.12.3-142.fc14.x86_64 clears tainted flag even after lc() and uc() perl functions:

$ perl -Te 'use Scalar::Util qw(tainted); printf("%d %d %d\n", tainted($0), tainted(lc($0)), tainted(uc($0)));'
1 0 0

This has been recognized by upstream as a security regression and fixed in forthcoming perl-5.14 (RT #87336).

Comment 1 Jan Lieskovsky 2011-04-01 14:42:06 UTC

*** This bug has been marked as a duplicate of bug 692898 ***

Note You need to log in before you can comment on or make changes to this bug.