[Secure-testing-team] Bug#629511: can report invalid data as valid in untaint mode

Damyan Ivanov dmn at debian.org
Tue Jun 7 09:23:08 UTC 2011 

Package: libdata-formvalidator-perl
Version: 4.66-2
Severity: important
Tags: security squeeze sid wheezy upstream
Forwarded: https://rt.cpan.org/Ticket/Display.html?id=61792

If there is a previous match in $&, the validation routine erroneously 
returns success:

$ perl <<'EOF'
use Data::FormValidator;

"bug" =~ /b/;

my $result = Data::FormValidator->check(
    { a => 'b' },   # input data
    {   # validation profile
        untaint_all_constraints => 1,
        optional => [ 'a' ],
        constraints => {
            a => qr/a/,     # RE that must match
        },
    },
);
print $result->success, "\n";
EOF
1
$

The following patch fixes the bug by correcting the check for a 
successful match.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
--- a/lib/Data/FormValidator/Results.pm
+++ b/lib/Data/FormValidator/Results.pm
@@ -807,7 +807,7 @@ sub _create_sub_from_RE {
             # With methods, the value is the second argument
             my $val = $force_method_p ? $_[1] : $_[0];
             my ($match) = scalar ($val =~ $re);
-            if ($untaint_this && defined $match) {
+            if ($untaint_this && $match) {
                 # pass the value through a RE that matches anything to untaint it.
                 my ($untainted) = ($&  =~ m/(.*)/s);
                 return $untainted;
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

I plan to push this via squeeze-updates, unless the security team 
considers it suitable for a DSA.


Cheers!

-- System Information:
Debian Release: wheezy/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=bg_BG.utf8, LC_CTYPE=bg_BG.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libdata-formvalidator-perl depends on:
ii  libemail-valid-perl         0.184-1      Perl module for checking the valid
ii  libfile-mmagic-perl         1.27-1       Perl module to guess file type
ii  libimage-size-perl          3.230-1      module for determining image sizes
ii  libmime-types-perl          1.30-1       Perl extension for determining MIM
ii  libperl6-junction-perl      1.40000-1    Perl6 style Junction operators in 
ii  libregexp-common-perl       2011041701-1 module with common regular express
ii  perl                        5.12.3-7     Larry Wall's Practical Extraction 

Versions of packages libdata-formvalidator-perl recommends:
ii  libdate-calc-perl             6.0-2+b1   Perl library for accessing dates

libdata-formvalidator-perl suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list