Closed
Bug 1187897
Opened 9 years ago
Closed 8 years ago
Taint Mode Error in Crypt::OpenPGP v1.10
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: dylan, Assigned: dylan)
References
(Blocks 1 open bug)
Details
Error below. This does not happen on production, thankfully... Insecure dependency in eval while running with -T switch at /usr/local/share/perl5/Crypt/OpenPGP/Util.pm line 107. at /usr/local/share/perl5/Crypt/OpenPGP/Util.pm line 104. Crypt::OpenPGP::Util::get_random_bytes(490) called at /usr/local/share/perl5/Crypt/OpenPGP/SessionKey.pm line 96
i suspect fixing bug 1186416 would address this issue.
See Also: → 1186416
https://github.com/btrott/Crypt-OpenPGP/blob/master/lib/Crypt/OpenPGP/Util.pm#L104 There's definitely string evals there, for the sole purpose of testing for random module alternatives. Consider filing an upstream bug at their Github?
Comment 3•9 years ago
|
||
https://github.com/btrott/Crypt-OpenPGP/issues/28 filed. Feel free to improve it. :-) Gerv
Assignee | ||
Comment 4•8 years ago
|
||
This doesn't seem to happen any more. I bet it was an error at a distance fixed by fixing nested template application. Maybe.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Comment 5•8 years ago
|
||
Aha, the real reason is jobqueue doesn't run under taint mode. That said, even if I pass a tainted 490 value into the get_random_bytes() it doesn't error.
Updated•5 years ago
|
Component: Extensions: SecureMail → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•