Dancer2 icon indicating copy to clipboard operation
Dancer2 copied to clipboard

Published 20 hours ago verified publisher icon PerlDancer

Request parameters are not tainted

Open LionsPhil opened this issue 11 years ago • 2 comments

When Taint mode is enabled at runtime, the results of param() are not tainted. (Dancer2-0.142000, via CPAN.)

To reproduce: $ dancer2 -a TaintTest

Modify bin/app.pl to include a stanza to enable taint just before dancing:

use TaintTest;

use Taint::Runtime qw(taint_start taint_env taint_enabled);
taint_start();
taint_env();
warn 'Taint enabled: '.taint_enabled();

TaintTest->dance;

Add a trivial form to views/index.tt:

<form method="post">
<input type="text" name="arg">
<input type="submit">
</form>

And add trivial routes to lib/TaintTest.pm

get '/:arg2' => sub {
    template 'index';
};

use Scalar::Util qw(tainted);

post '/:arg2' => sub {
        my $route = params('route')->{arg2};
        my $body = params('body')->{arg};
        my $ret = 'route param is '.(tainted $route ? '' : 'NOT')." tainted\n";
        return $ret.'body param is '.(tainted $body ? '' : 'NOT')." tainted\n";
};

Run it, go to /something, and post the form. The response is that both parameters are untainted.

When the fix for issue #567 reaches stable release this probably justifies retesting without the use of Taint::Runtime in case the fault lies in interaction with that. However, from a cursory look through the source, route params are being untainted because they are parsed via a regex capture.

LionsPhil avatar Jul 04 '14 09:07 LionsPhil

The fix @xsawyerx applied for #567 was released in Dancer2-0.140000.

I had a quick poke around in the param processing inside Core::Request. It looks like Dancer2 is being supplied untainted data when using HTTP::Server::PSGI (the default when you run ./bin/app.pl).

There are other servers; on my dev box, Starman gives different results (plackup -p 3000 -s Starman bin/app.pl). @LionsPhil can you run the same tests using Starman to verify this?

Maybe the best approach here is a doc patch to highlight that different servers have impacts on taint.

veryrusty avatar Jul 05 '14 06:07 veryrusty

Running through Starman with the command you suggest shows that both variables are untainted here.

If this is a PSGI server issue, a doc comment seems a reasonable resolution to me.

LionsPhil avatar Jul 07 '14 09:07 LionsPhil