From the upstream bug at $URL: When untaint_all_constraints is used, D::F::Results reports an invalid field as valid. The content is the last successful regexp match, which may be absolutely unrelated to DFV. I reproduced the bug with the attached script using Perl 5.12.1 and DFV 4.66 on a Debian Lenny system. I believe the problem is in line 809 of D::F::Results: my ($match) = scalar ($val =~ $re); if ($untaint_this && defined $match) { # pass the value through a RE that matches anything to untaint it. my ($untainted) = ($& =~ m/(.*)/s); return $untainted; } The "scalar" has been added between 4.61 and 4.66. Even if $re does not match, the scalar returns a defined value, which leads into an old $& being used.
CVE-2011-2201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2201): The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data, which might allow remote attackers to bypass the taint protection mechanism via form input.
No affected versions in tree, ~ only. Closing noglsa.
