don't taint $$ determined by getpid()

Reading $$ in a tainted expression was tainting the internal sv_setiv()
on $$.  Since the value being set came directly from getpid(), it's
always safe, so override the tainting there.  Fixes [perl #109688].

diff --git a/mg.c b/mg.c
index f450d17..8b30f93 100644 (file)
--- a/mg.c
+++ b/mg.c
@@ -1079,9 +1079,12 @@ Perl_magic_get(pTHX_ SV *sv, MAGIC *mg)
     case '$': /* $$ */
        {
            IV const pid = (IV)PerlProc_getpid();
-           if (isGV(mg->mg_obj) || SvIV(mg->mg_obj) != pid)
+           if (isGV(mg->mg_obj) || SvIV(mg->mg_obj) != pid) {
                /* never set manually, or at least not since last fork */
                sv_setiv(sv, pid);
+               /* never unsafe, even if reading in a tainted expression */
+               SvTAINTED_off(sv);
+           }
            /* else a value has been assigned manually, so do nothing */
        }
        break;

diff --git a/t/op/taint.t b/t/op/taint.t
index 0b626f3..1b75439 100644 (file)
--- a/t/op/taint.t
+++ b/t/op/taint.t
@@ -17,7 +17,7 @@ BEGIN {
 use strict;
 use Config;
 
-plan tests => 791;
+plan tests => 793;
 
 $| = 1;
 
@@ -2176,6 +2176,13 @@ for(1,2) {
 }
 pass("no death when TARG of ref is tainted");
 
+# $$ should not be tainted by being read in a tainted expression.
+{
+    isnt_tainted $$, "PID not tainted initially";
+    my $x = $ENV{PATH}.$$;
+    isnt_tainted $$, "PID not tainted when read in tainted expression";
+}
+
 {
     use feature 'fc';
     use locale;