diff options
author | justdave%syndicomm.com <> | 2002-01-20 09:44:34 +0000 |
---|---|---|
committer | justdave%syndicomm.com <> | 2002-01-20 09:44:34 +0000 |
commit | 4e6767d4c3d1b0b583f4ec076992345545294748 (patch) | |
tree | 44d10a299f4d910400fb420b38e21e769c00be7e /globals.pl | |
parent | 72f340e3a12668c9356102c71f864afa986e001a (diff) | |
download | bugs-4e6767d4c3d1b0b583f4ec076992345545294748.tar bugs-4e6767d4c3d1b0b583f4ec076992345545294748.tar.gz bugs-4e6767d4c3d1b0b583f4ec076992345545294748.tar.bz2 bugs-4e6767d4c3d1b0b583f4ec076992345545294748.tar.xz bugs-4e6767d4c3d1b0b583f4ec076992345545294748.zip |
Fix for bug 108982: enable taint mode for all user-facing CGI files.
Patch by Brad Baetz <bbaetz@student.usyd.edu.au>
r= jake, justdave
Diffstat (limited to 'globals.pl')
-rw-r--r-- | globals.pl | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/globals.pl b/globals.pl index 87db566c1..36e1f86f1 100644 --- a/globals.pl +++ b/globals.pl @@ -194,8 +194,27 @@ sub SqlLog { } } +# This is from the perlsec page, slightly modifed to remove a warning +# From that page: +# This function makes use of the fact that the presence of +# tainted data anywhere within an expression renders the +# entire expression tainted. +# Don't ask me how it works... +sub is_tainted { + return not eval { my $foo = join('',@_), kill 0; 1; }; +} + sub SendSQL { my ($str, $dontshadow) = (@_); + + # Don't use DBI's taint stuff yet, because: + # a) We don't want out vars to be tainted (yet) + # b) We want to know who called SendSQL... + # Is there a better way to do b? + if (is_tainted($str)) { + die "Attempted to send tainted string to the database"; + } + my $iswrite = ($str =~ /^(INSERT|REPLACE|UPDATE|DELETE)/i); if ($iswrite && !$::dbwritesallowed) { die "Evil code attempted to write stuff to the shadow database."; |