From b955c8d1282ac7c0762c7a12dd8549e13110bfb1 Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Tue, 11 Oct 2016 17:18:08 -0400 Subject: Bug 1309278 - Cache::Memcached::Fast returns tainted data if the key is tainted --- Bugzilla/Memcached.pm | 49 +++---------------------------------------------- 1 file changed, 3 insertions(+), 46 deletions(-) diff --git a/Bugzilla/Memcached.pm b/Bugzilla/Memcached.pm index f73623720..a1b8a5ac7 100644 --- a/Bugzilla/Memcached.pm +++ b/Bugzilla/Memcached.pm @@ -12,8 +12,8 @@ use strict; use warnings; use Bugzilla::Error; -use Bugzilla::Util qw(trick_taint); use Scalar::Util qw(blessed); +use Bugzilla::Util qw(trick_taint); use URI::Escape; use Encode; use Sys::Syslog qw(:DEFAULT); @@ -224,6 +224,7 @@ sub _config_prefix { sub _encode_key { my ($self, $key) = @_; $key = $self->_global_prefix . '.' . uri_escape_utf8($key); + trick_taint($key) if defined $key; return length($self->{namespace} . $key) > MAX_KEY_LENGTH ? undef : $key; @@ -247,51 +248,7 @@ sub _get { $key = $self->_encode_key($key) or return; - my $value = $self->{memcached}->get($key); - return unless defined $value; - - # detaint returned values - # hashes and arrays are detainted just one level deep - if (ref($value) eq 'HASH') { - _detaint_hashref($value); - } - elsif (ref($value) eq 'ARRAY') { - foreach my $value (@$value) { - next unless defined $value; - # arrays of hashes and arrays are common - if (ref($value) eq 'HASH') { - _detaint_hashref($value); - } - elsif (ref($value) eq 'ARRAY') { - _detaint_arrayref($value); - } - elsif (!ref($value)) { - trick_taint($value); - } - } - } - elsif (!ref($value)) { - trick_taint($value); - } - return $value; -} - -sub _detaint_hashref { - my ($hashref) = @_; - foreach my $value (values %$hashref) { - if (defined($value) && !ref($value)) { - trick_taint($value); - } - } -} - -sub _detaint_arrayref { - my ($arrayref) = @_; - foreach my $value (@$arrayref) { - if (defined($value) && !ref($value)) { - trick_taint($value); - } - } + return $self->{memcached}->get($key); } sub _delete { -- cgit v1.2.3-24-g4f1b