Closed
Bug 141006
Opened 22 years ago
Closed 20 years ago
edit*.cgis should be run in taint mode
Categories
(Bugzilla :: Administration, task, P2)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: jouni, Assigned: glob)
Details
(Whiteboard: [needed for win32bz])
Attachments
(1 file, 1 obsolete file)
3.45 KB,
patch
|
jouni
:
review+
|
Details | Diff | Splinter Review |
Taint mode should be enabled for admin cgis as well. See discussion in bug 140784 - it may be that this is nothing more than adding -T to the shebang lines, but better test carefully. I guess this is 2.18, then.
Comment 1•22 years ago
|
||
Most of this will occur when I move most of these files over to my new administration architecture. (bug #97706).
Assignee: justdave → matty
Severity: enhancement → normal
Priority: -- → P2
QA Contact: matty → jake
Target Milestone: --- → Bugzilla 2.18
Reporter | ||
Comment 2•22 years ago
|
||
Ok. Matty, when will your new architecture be ready? I've been running 2.16-slightly-pre-rc1 for several weeks now with all the admin files in taint mode, and had no problems whatsoever. So if a quick fix for this is needed, just adding the -Ts to shebang lines will probably be just fine.
Comment 3•22 years ago
|
||
It's already ready, it's just waiting review and checkin once 2.18 opens.
Comment 4•21 years ago
|
||
According to a discussion on developers@ today (http://bugzilla.org/cgi-bin/mj_wwwusr?list=developers&brief=on&func=archive-get-part&extra=200305/169), it looks like this will be necessary for "out of the box" compatibility with Win32. It seems IIS and taint modes are finicky.
Whiteboard: [needed for win32bz]
Comment 5•21 years ago
|
||
Its a reuiqrement if we run edit* in mod_perl, but thats not gong to happen before they're rewritten anyway. We can enable mod_perl on a per-script basis. IIS requires renaming the file to have a different extention, IIRC
Comment 6•21 years ago
|
||
This works for me Microsoft Windows 2000 [Version 5.00.2195] Bugzilla 2.17.4 Perl v5.8.0 built for cygwin-multi-64int see bug 208521 is '2.16-slightly-pre-rc1' a cvs tag? if so I will check it on monday the 16
Comment 7•21 years ago
|
||
had some new ideas on this... have IIS load bash to execute the cgi, this way the #! line will be used to run the file... have note tested this yet. more to come.
Reporter | ||
Comment 8•21 years ago
|
||
The overhead of invoking bash at every CGI load is not acceptable on all systems, not to talk about the problems of requiring bash anyway. Besides, I don't think it's bash that's relevant - it might well be the Perl application itself. Thus, the bash solution will probably work well on Cygwin but not on native Win32 Perl. Taint mode is good anyway. I wonder how realistic waiting for MattyT's new admin architecture is - landing that before 2.18 sounds like a pretty tough goal...
Comment 9•21 years ago
|
||
the only other way for IIS to load script files correctly is to use a dll to read the first line. unless perl has an option to allow the #!/bin/perl -options take precedence?
Comment 10•21 years ago
|
||
Active State Perl will not read the first line of the cgi's... "#!/bin/perl -w" will not activate strict mode. it only works if you say "use strict;" and finaly if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted mode this way *g*. realy bad :-). this is special for active state perl. :-)
Comment 11•21 years ago
|
||
regardings my last posting... this is special to Microsoft IIS and Active State Perl - no matter if 5.6.1 or 5.8
Comment 12•21 years ago
|
||
Taking Jake's bugs... his Army Reserve unit has been deployed.
QA Contact: jake → justdave
Comment 13•20 years ago
|
||
All 2.18 bugs that haven't been touched in over 60 days and aren't flagged as blockers are getting pushed out to 2.20
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Comment 14•20 years ago
|
||
>if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted
>mode this way *g*. realy bad :-). this is special for active state perl.
That's just because IIS is using perl.exe to run the file and you need to tell
it sooner than that about the taint.
If you change the script mapping in IIS from:
<full path to perl.exe>\perl.exe "%s" %s
to:
<full path to perl.exe>\perl.exe -t "%s" %s
Then you shouldn't get the error, and it should still be in taint mode (in
fact, everything should be in taint mode that way).
Comment 15•20 years ago
|
||
Fat fingers... make that: <full path to perl.exe>\perl.exe -T "%s" %s
Updated•20 years ago
|
Comment 16•20 years ago
|
||
I think I'd like to ship the 2.18rc1 with taint mode enabled on all the files, whether they're known to work or not. Most of the taint errors have been found already by the Windows folks (because they don't get a choice - see dependencies), and I'm sure we'll shake out the rest during RC. Fixing taint errors will certainly be worth adding to a stable release if we miss a few, too.
Flags: blocking2.18+
Target Milestone: Bugzilla 2.20 → Bugzilla 2.18
Assignee | ||
Comment 17•20 years ago
|
||
Reporter | ||
Comment 18•20 years ago
|
||
Comment on attachment 149022 [details] [diff] [review] enable taint mode on edit*.cgi You must also edit t/002goodperl.t to remove the edit* exception. And please do check if testing suite runs properly thereafter.
Attachment #149022 -
Flags: review-
Assignee | ||
Comment 19•20 years ago
|
||
Attachment #149022 -
Attachment is obsolete: true
Attachment #149038 -
Flags: review?
Reporter | ||
Comment 20•20 years ago
|
||
Comment on attachment 149038 [details] [diff] [review] enable taint mode on edit*.cgi r=jouni This may conflict with some of the individual taint fixes going on in other bugs (bug 208847 comes to mind) changing the shebang line, but those are trivial.
Attachment #149038 -
Flags: review? → review+
Reporter | ||
Comment 21•20 years ago
|
||
Dave, do you want a new meta bug filed for taint issues, or shall we just nuke the dependencies for this?
Flags: approval?
Comment 22•20 years ago
|
||
hmm, we can nuke the dependencies I suppose. taint is an easy enough keyword to search for.
Reporter | ||
Comment 23•20 years ago
|
||
Checked in. Bypassed the conflict from editgroups.cgi already having -T added (bug 208847 I just checked in). I'll post in webtools alerting people about possible issues. Checking in editcomponents.cgi; /cvsroot/mozilla/webtools/bugzilla/editcomponents.cgi,v <-- editcomponents.cgi new revision: 1.40; previous revision: 1.39 done Checking in editmilestones.cgi; /cvsroot/mozilla/webtools/bugzilla/editmilestones.cgi,v <-- editmilestones.cgi new revision: 1.21; previous revision: 1.20 done Checking in editparams.cgi; /cvsroot/mozilla/webtools/bugzilla/editparams.cgi,v <-- editparams.cgi new revision: 1.22; previous revision: 1.21 done Checking in editproducts.cgi; /cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v <-- editproducts.cgi new revision: 1.49; previous revision: 1.48 done Checking in editusers.cgi; /cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v <-- editusers.cgi new revision: 1.56; previous revision: 1.55 done Checking in editversions.cgi; /cvsroot/mozilla/webtools/bugzilla/editversions.cgi,v <-- editversions.cgi new revision: 1.22; previous revision: 1.21 done Checking in t/002goodperl.t; /cvsroot/mozilla/webtools/bugzilla/t/002goodperl.t,v <-- 002goodperl.t new revision: 1.13; previous revision: 1.12 done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
QA Contact: justdave → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•