Taint resurrected unexpectedly (1.8.1)

Hi!

I’m seeing something seemingly incorrect in a CGI script
wherein an object is untainted, then a new object is
created via string interpolation using the untainted object,
and the new object becomes tainted.

I’ve whittled the code down to a pretty simple script…
I wasn’t able to reproduce it without actually using the
CGI module though… Here’s what I have:

···
$ cat taint.rb

$SAFE = 1

require 'cgi'

alias log puts

cgi = CGI.new("html4Tr")

# cgi.out {
  view = cgi['view']
log("1 view=#{view}")
log("2 view tainted? #{view.tainted?}")
  view.untaint  # if view =~ /\A\w*\z/
log("3 view tainted? #{view.tainted?}")
  filename = "demo/#{view}"      #### ****** filename can become tainted!
log("4 filename tainted? #{filename.tainted?}")
  filename.untaint unless view.tainted?
log("5 filename tainted? #{filename.tainted?}")
# }

The output is:

$ ruby -v
ruby 1.8.1 (2003-12-25) [i686-linux]

$ ruby taint.rb
(offline mode: enter name=value pairs on standard input)
view=spang
1 view=spang
2 view tainted? false
3 view tainted? false
4 filename tainted? true
5 filename tainted? false

[I don’t know if I’m doing something stupid… In the actual real CGI script, (as opposed to the “offline mode” whittled down one) I’m used to output line #2 being “true” as well. I’m not sure why line #2 is false here… so I’m worried I’m overlooking something silly…]

In any case, it’s line #4 that is causing me trouble. In
both this test script and in the real CGI script, my log
shows I’ve successfully untainted the object (referenced
by the ‘view’ variable) prior to using it in the string
interpolation:

filename = “demo/#{view}”

…and yet ‘filename’ is coming out tainted. That’s not
correct behavior is it? Or am I missing something?

Thanks!

Regards,

Bill

Bill Kelly wrote:

In any case, it’s line #4 that is causing me trouble. In
both this test script and in the real CGI script, my log
shows I’ve successfully untainted the object (referenced
by the ‘view’ variable) prior to using it in the string
interpolation:

filename = “demo/#{view}”

.and yet ‘filename’ is coming out tainted. That’s not
correct behavior is it? Or am I missing something?

Does CGI# still return an array? I thought this had changed, but at
any rate:

$SAFE = 1
view = [‘spang’]
view.first.taint
view.untaint
p view.tainted? #=> false
filename = “demo/#{view}”
p filename.tainted? #=> true

Check what type view actually has before the interpolation. It may be
that you are interpolating tainted elements from an untainted container.

HTH

···


([ Kent Dahl ]/)_ ~ [ Kent Dahl - Kent Dahl ]/~
))_student_/(( _d L b_/ Master of Science in Technology )
( __õ|õ// ) ) Industrial economics and technology management (
_
/ö____/ (_engineering.discipline=Computer::Technology)

Hi Kent,

Check what type view actually has before the interpolation. It may be
that you are interpolating tainted elements from an untainted container.

Aha!

view class=CGI::QueryExtension::Value

Thanks! Interesting… I thought I was dealing with a
simple string… Apparently it’s a container that acts
like a string during interpolation, as you correctly
surmised…

D’oh… :slight_smile:

HTH

Yes indeedy!

Thanks,

Bill