copy of tainted variable makes original variable forget it was a reference

[Mrten]

Copying a function variable makes it forget that is was a reference. This is with php 5.3.10 (latest in ubuntu precise).

Demo-code:

<?php

header('Content-Type: text/plain');

$string = '[email protected]';

echo "input: ".$string."\n";
echo "expected result: @bar.com\n-----\n\n";

taint($string);
checkEmailAddress($string);

untaint($string);
checkEmailAddress($string);

function checkEmailAddress($address) {

        if ( is_tainted($address) ) {
                echo "with tainted variable:\n";
        } else {
                echo "with normal variable:\n";
        }

        $ret = getAddressSpec($address);

        echo "RESULT: ";
        var_dump($address);
        echo "\n\n";
}

function getAddressSpec(&$at) {

        echo "BEFORE CHANGE: ";
        var_dump($at);

        // This line is the problem. It works for tainted variables if we remove it.
        $oldat = $at;

        // Change contents of reference
        $at = '@bar.com';

        echo "AFTER CHANGE IN SAME FUNCTION: ";
        var_dump($at);
}
?>

You'll see that the result of checkEmailAddress changes if we change the 'taintedness' of the variable given to the function.

Output for 5.3.10:

input: [email protected]
expected result: @bar.com
-----

with tainted variable:
BEFORE CHANGE: &string(11) "[email protected]"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(11) "[email protected]"


with normal variable:
BEFORE CHANGE: string(11) "[email protected]"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"