1#!./perl -T 2use strict; 3use Test::More; 4BEGIN { 5 plan( 6 ${^TAINT} 7 ? (tests => 45) 8 : (skip_all => "A perl without taint support") 9 ); 10} 11use lib qw( ./t/lib ); 12use Testing qw( 13 create_file_ok 14 mkdir_ok 15 symlink_ok 16 dir_path 17 file_path 18); 19 20my %Expect_File = (); # what we expect for $_ 21my %Expect_Name = (); # what we expect for $File::Find::name/fullname 22my %Expect_Dir = (); # what we expect for $File::Find::dir 23my ($cwd, $cwd_untainted); 24 25BEGIN { 26 require File::Spec; 27 if ($ENV{PERL_CORE}) { 28 # May be doing dynamic loading while @INC is all relative 29 @INC = map { $_ = File::Spec->rel2abs($_); /(.*)/; $1 } @INC; 30 } 31} 32 33use Config; 34 35BEGIN { 36 if ($^O ne 'VMS') { 37 for (keys %ENV) { # untaint ENV 38 ($ENV{$_}) = $ENV{$_} =~ /(.*)/; 39 } 40 } 41 42 # Remove insecure directories from PATH 43 my @path; 44 my $sep = $Config{path_sep}; 45 foreach my $dir (split(/\Q$sep/,$ENV{'PATH'})) 46 { 47 ## 48 ## Match the directory taint tests in mg.c::Perl_magic_setenv() 49 ## 50 push(@path,$dir) unless (length($dir) >= 256 51 or 52 substr($dir,0,1) ne "/" 53 or 54 (stat $dir)[2] & 002); 55 } 56 $ENV{'PATH'} = join($sep,@path); 57} 58 59my $symlink_exists = eval { symlink("",""); 1 }; 60 61use File::Find; 62use File::Spec; 63use Cwd; 64 65my $orig_dir = cwd(); 66( my $orig_dir_untainted ) = $orig_dir =~ m|^(.+)$|; # untaint it 67 68cleanup(); 69 70my $found; 71find({wanted => sub { ++$found if $_ eq 'taint.t' }, 72 untaint => 1, untaint_pattern => qr|^(.+)$|}, File::Spec->curdir); 73 74is($found, 1, 'taint.t found once'); 75$found = 0; 76 77finddepth({wanted => sub { ++$found if $_ eq 'taint.t'; }, 78 untaint => 1, untaint_pattern => qr|^(.+)$|}, File::Spec->curdir); 79 80is($found, 1, 'taint.t found once again'); 81 82my $case = 2; 83my $FastFileTests_OK = 0; 84 85sub cleanup { 86 chdir($orig_dir_untainted); 87 my $need_updir = 0; 88 if (-d dir_path('for_find_taint')) { 89 $need_updir = 1 if chdir(dir_path('for_find_taint')); 90 } 91 if (-d dir_path('fa_taint')) { 92 unlink file_path('fa_taint', 'fa_ord'), 93 file_path('fa_taint', 'fsl'), 94 file_path('fa_taint', 'faa', 'faa_ord'), 95 file_path('fa_taint', 'fab', 'fab_ord'), 96 file_path('fa_taint', 'fab', 'faba', 'faba_ord'), 97 file_path('fb_taint', 'fb_ord'), 98 file_path('fb_taint', 'fba', 'fba_ord'); 99 rmdir dir_path('fa_taint', 'faa'); 100 rmdir dir_path('fa_taint', 'fab', 'faba'); 101 rmdir dir_path('fa_taint', 'fab'); 102 rmdir dir_path('fa_taint'); 103 rmdir dir_path('fb_taint', 'fba'); 104 rmdir dir_path('fb_taint'); 105 } 106 if ($need_updir) { 107 my $updir = $^O eq 'VMS' ? File::Spec::VMS->updir() : File::Spec->updir; 108 chdir($updir); 109 } 110 if (-d dir_path('for_find_taint')) { 111 rmdir dir_path('for_find_taint') or print "# Can't rmdir for_find_taint: $!\n"; 112 } 113} 114 115END { 116 cleanup(); 117} 118 119sub wanted_File_Dir { 120 print "# \$File::Find::dir => '$File::Find::dir'\t\$_ => '$_'\n"; 121 s#\.$## if ($^O eq 'VMS' && $_ ne '.'); # 122 s/(.dir)?$//i if ($^O eq 'VMS' && -d _); 123 ok( $Expect_File{$_}, "found $_ for \$_, as expected" ); 124 if ( $FastFileTests_OK ) { 125 delete $Expect_File{$_} 126 unless ( $Expect_Dir{$_} && ! -d _ ); 127 } 128 else { 129 delete $Expect_File{$_} 130 unless ( $Expect_Dir{$_} && ! -d $_ ); 131 } 132} 133 134sub wanted_File_Dir_prune { 135 &wanted_File_Dir; 136 $File::Find::prune=1 if $_ eq 'faba'; 137} 138 139sub simple_wanted { 140 print "# \$File::Find::dir => '$File::Find::dir'\n"; 141 print "# \$_ => '$_'\n"; 142} 143 144# Use topdir() to specify a directory path that you want to pass to 145# find/finddepth. Historically topdir() differed on Mac OS classic. 146 147*topdir = \&dir_path; 148 149# Use file_path_name() to specify a file path that's expected for 150# $File::Find::Name (%Expect_Name). Note: When the no_chdir => 1 151# option is in effect, $_ is the same as $File::Find::Name. In that 152# case, also use this function to specify a file path that's expected 153# for $_. 154# 155# Historically file_path_name differed on Mac OS classic. 156 157*file_path_name = \&file_path; 158 159 160mkdir_ok( dir_path('for_find_taint'), 0770 ); 161ok( chdir( dir_path('for_find_taint')), 'successful chdir() to for_find_taint' ); 162 163$cwd = cwd(); # save cwd 164( $cwd_untainted ) = $cwd =~ m|^(.+)$|; # untaint it 165 166mkdir_ok( dir_path('fa_taint'), 0770 ); 167mkdir_ok( dir_path('fb_taint'), 0770 ); 168create_file_ok( file_path('fb_taint', 'fb_ord') ); 169mkdir_ok( dir_path('fb_taint', 'fba'), 0770 ); 170create_file_ok( file_path('fb_taint', 'fba', 'fba_ord') ); 171SKIP: { 172 skip "Creating symlink", 1, unless $symlink_exists; 173 ok( symlink('../fb_taint','fa_taint/fsl'), 'Created symbolic link' ); 174} 175create_file_ok( file_path('fa_taint', 'fa_ord') ); 176 177mkdir_ok( dir_path('fa_taint', 'faa'), 0770 ); 178create_file_ok( file_path('fa_taint', 'faa', 'faa_ord') ); 179mkdir_ok( dir_path('fa_taint', 'fab'), 0770 ); 180create_file_ok( file_path('fa_taint', 'fab', 'fab_ord') ); 181mkdir_ok( dir_path('fa_taint', 'fab', 'faba'), 0770 ); 182create_file_ok( file_path('fa_taint', 'fab', 'faba', 'faba_ord') ); 183 184print "# check untainting (no follow)\n"; 185 186# untainting here should work correctly 187 188%Expect_File = (File::Spec->curdir => 1, file_path('fsl') => 189 1,file_path('fa_ord') => 1, file_path('fab') => 1, 190 file_path('fab_ord') => 1, file_path('faba') => 1, 191 file_path('faa') => 1, file_path('faa_ord') => 1); 192delete $Expect_File{ file_path('fsl') } unless $symlink_exists; 193%Expect_Name = (); 194 195%Expect_Dir = ( dir_path('fa_taint') => 1, dir_path('faa') => 1, 196 dir_path('fab') => 1, dir_path('faba') => 1, 197 dir_path('fb_taint') => 1, dir_path('fba') => 1); 198 199delete @Expect_Dir{ dir_path('fb_taint'), dir_path('fba') } unless $symlink_exists; 200 201File::Find::find( {wanted => \&wanted_File_Dir_prune, untaint => 1, 202 untaint_pattern => qr|^(.+)$|}, topdir('fa_taint') ); 203 204is(scalar keys %Expect_File, 0, 'Found all expected files'); 205 206# don't untaint at all, should die 207%Expect_File = (); 208%Expect_Name = (); 209%Expect_Dir = (); 210undef $@; 211eval {File::Find::find( {wanted => \&simple_wanted}, topdir('fa_taint') );}; 212like( $@, qr|Insecure dependency|, 'Tainted directory causes death (good)' ); 213chdir($cwd_untainted); 214 215 216# untaint pattern doesn't match, should die 217undef $@; 218 219eval {File::Find::find( {wanted => \&simple_wanted, untaint => 1, 220 untaint_pattern => qr|^(NO_MATCH)$|}, 221 topdir('fa_taint') );}; 222 223like( $@, qr|is still tainted|, 'Bad untaint pattern causes death (good)' ); 224chdir($cwd_untainted); 225 226 227# untaint pattern doesn't match, should die when we chdir to cwd 228print "# check untaint_skip (No follow)\n"; 229undef $@; 230 231eval {File::Find::find( {wanted => \&simple_wanted, untaint => 1, 232 untaint_skip => 1, untaint_pattern => 233 qr|^(NO_MATCH)$|}, topdir('fa_taint') );}; 234 235print "# $@" if $@; 236#$^D = 8; 237like( $@, qr|insecure cwd|, 'Bad untaint pattern causes death in cwd (good)' ); 238 239chdir($cwd_untainted); 240 241 242SKIP: { 243 skip "Symbolic link tests", 17, unless $symlink_exists; 244 print "# --- symbolic link tests --- \n"; 245 $FastFileTests_OK= 1; 246 247 print "# check untainting (follow)\n"; 248 249 # untainting here should work correctly 250 # no_chdir is in effect, hence we use file_path_name to specify the expected paths for %Expect_File 251 252 %Expect_File = (file_path_name('fa_taint') => 1, 253 file_path_name('fa_taint','fa_ord') => 1, 254 file_path_name('fa_taint', 'fsl') => 1, 255 file_path_name('fa_taint', 'fsl', 'fb_ord') => 1, 256 file_path_name('fa_taint', 'fsl', 'fba') => 1, 257 file_path_name('fa_taint', 'fsl', 'fba', 'fba_ord') => 1, 258 file_path_name('fa_taint', 'fab') => 1, 259 file_path_name('fa_taint', 'fab', 'fab_ord') => 1, 260 file_path_name('fa_taint', 'fab', 'faba') => 1, 261 file_path_name('fa_taint', 'fab', 'faba', 'faba_ord') => 1, 262 file_path_name('fa_taint', 'faa') => 1, 263 file_path_name('fa_taint', 'faa', 'faa_ord') => 1); 264 265 %Expect_Name = (); 266 267 %Expect_Dir = (dir_path('fa_taint') => 1, 268 dir_path('fa_taint', 'faa') => 1, 269 dir_path('fa_taint', 'fab') => 1, 270 dir_path('fa_taint', 'fab', 'faba') => 1, 271 dir_path('fb_taint') => 1, 272 dir_path('fb_taint', 'fba') => 1); 273 274 File::Find::find( {wanted => \&wanted_File_Dir, follow_fast => 1, 275 no_chdir => 1, untaint => 1, untaint_pattern => 276 qr|^(.+)$| }, topdir('fa_taint') ); 277 278 is( scalar(keys %Expect_File), 0, 'Found all files in symlink test' ); 279 280 281 # don't untaint at all, should die 282 undef $@; 283 284 eval {File::Find::find( {wanted => \&simple_wanted, follow => 1}, 285 topdir('fa_taint') );}; 286 287 like( $@, qr|Insecure dependency|, 'Not untainting causes death (good)' ); 288 chdir($cwd_untainted); 289 290 # untaint pattern doesn't match, should die 291 undef $@; 292 293 eval {File::Find::find( {wanted => \&simple_wanted, follow => 1, 294 untaint => 1, untaint_pattern => 295 qr|^(NO_MATCH)$|}, topdir('fa_taint') );}; 296 297 like( $@, qr|is still tainted|, 'Bat untaint pattern causes death (good)' ); 298 chdir($cwd_untainted); 299 300 # untaint pattern doesn't match, should die when we chdir to cwd 301 print "# check untaint_skip (Follow)\n"; 302 undef $@; 303 304 eval {File::Find::find( {wanted => \&simple_wanted, untaint => 1, 305 untaint_skip => 1, untaint_pattern => 306 qr|^(NO_MATCH)$|}, topdir('fa_taint') );}; 307 like( $@, qr|insecure cwd|, 'Cwd not untainted with bad pattern (good)' ); 308 309 chdir($cwd_untainted); 310} 311