Closed Bug 1187897 Opened 9 years ago Closed 8 years ago

Taint Mode Error in Crypt::OpenPGP v1.10

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dylan, Assigned: dylan)

References

(Blocks 1 open bug)

Details

Error below. This does not happen on production, thankfully...

Insecure dependency in eval while running with -T switch at /usr/local/share/perl5/Crypt/OpenPGP/Util.pm line 107.
 at /usr/local/share/perl5/Crypt/OpenPGP/Util.pm line 104.
	Crypt::OpenPGP::Util::get_random_bytes(490) called at /usr/local/share/perl5/Crypt/OpenPGP/SessionKey.pm line 96
i suspect fixing bug 1186416 would address this issue.
See Also: → 1186416
Blocks: 1181406
https://github.com/btrott/Crypt-OpenPGP/blob/master/lib/Crypt/OpenPGP/Util.pm#L104

There's definitely string evals there, for the sole purpose of testing for random module alternatives.

Consider filing an upstream bug at their Github?
https://github.com/btrott/Crypt-OpenPGP/issues/28 filed. Feel free to improve it. :-)

Gerv
This doesn't seem to happen any more. I bet it was an error at a distance fixed by fixing nested template application. Maybe.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Aha, the real reason is jobqueue doesn't run under taint mode. That said, even if I pass a tainted 490 value into the get_random_bytes() it doesn't error.
Component: Extensions: SecureMail → Extensions
You need to log in before you can comment on or make changes to this bug.