Open
Description
When Taint mode is enabled at runtime, the results of param() are not tainted. (Dancer2-0.142000, via CPAN.)
To reproduce: $ dancer2 -a TaintTest
Modify bin/app.pl to include a stanza to enable taint just before dancing:
use TaintTest;
use Taint::Runtime qw(taint_start taint_env taint_enabled);
taint_start();
taint_env();
warn 'Taint enabled: '.taint_enabled();
TaintTest->dance;Add a trivial form to views/index.tt:
<form method="post">
<input type="text" name="arg">
<input type="submit">
</form>And add trivial routes to lib/TaintTest.pm
get '/:arg2' => sub {
template 'index';
};
use Scalar::Util qw(tainted);
post '/:arg2' => sub {
my $route = params('route')->{arg2};
my $body = params('body')->{arg};
my $ret = 'route param is '.(tainted $route ? '' : 'NOT')." tainted\n";
return $ret.'body param is '.(tainted $body ? '' : 'NOT')." tainted\n";
};Run it, go to /something, and post the form. The response is that both parameters are untainted.
When the fix for issue #567 reaches stable release this probably justifies retesting without the use of Taint::Runtime in case the fault lies in interaction with that. However, from a cursory look through the source, route params are being untainted because they are parsed via a regex capture.