Closed Bug 125427 Opened 23 years ago Closed 22 years ago

Taint error in duplicates.cgi with perl < 5.6 ("Insecure dependency in glob")

Categories

(Bugzilla :: Reporting/Charting, defect, P1)

Product:
Bugzilla
Component:
Reporting/Charting
Version:
2.15
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: afranke, Assigned: bbaetz)

References

Details

Attachments

(1 file, 1 obsolete file)

v2
3.04 KB, patch
gerv
: review+
myk
: review+
Details | Diff | Splinter Review 
When running duplicates.cgi with perl 5.005_02 I get the following software
error:

Insecure dependency in glob while running with -T switch at
/home/bugzilla/apache/htdocs/duplicates.cgi line 82. 

The line where the error occurs is:

	if (<data/duplicates/dupes$today*>)

This error does not occur with perl 5.6.0.

<Quotes from bbaetz on IRC>

bbaetz@landfill:~$ perl -wT 
if (<foo*>) { print "FOO\n"; }
bbaetz@landfill:~$ perl5.00503 -wT
if (<foo*>) { print "FOO\n"; }
Insecure dependency in glob while running with -T switch at - line 1.
bbaetz@landfill:~$ 

since dbmopen will create the file if it doesn't exist, we need to check for
existance but we can't...

perldelta says that they no longer spawn csh for globbing
thats probably it

I think that it needs to use tie rather than dbmopen
and then set the mode to not create

</Quotes>
OK, we need to remove the glob and just check the return value from dbmopen.
I'll do this after the templatistaion - theres no point before that.
Severity: normal → blocker
Status: NEW → ASSIGNED
Depends on: 119635
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
duplicates.cgi templatization is done.  Got a patch?
Nope. I can hack one up on Fri, but I can't test it, since I don't have perl
5.005 installed, and this doesn't occur with 5.6. landfill is still down, and I
don't know if it will have 5.005 on it when it comes up.

I'll put up a patch, though, which should work, but not today.
Attached patch v1 (obsolete) — Splinter Review 
OK, here we go. dbm_open creates teh file if it doesn't exist, so checking the
return value is no good. I can't test for the existtance of $filename.db,
because I don't know if the .db extention is standard. I'm using tie instead,
now, and not passing in O_CREAT. I'm detecting file not found via Errno.

Is this safe on both windows, and per 5.005?

I only have 5.6.1, so I can't even test that this fixes the original problem.
Who wants to volunteer?
There is a third dbmopen statement for "dupes$whenever*" in
duplicates.cgi.  The patch will have to include that one as
well.
Attached patch v2Splinter Review 
oops. 3rd instance fixed
Attachment #78705 - Attachment is obsolete: true
Keywords: patch, review
Comment on attachment 78856 [details] [diff] [review]
v2

r=gerv, if, for my general education, you can explain to me the differences (if
any) between dbmopen and tie in these circumstances :-)

Gerv
Attachment #78856 - Flags: review+
gerv: tie lets me avoid the O_CREAT which dbmopen always uses. Its ok for the
file to be hissing, so we don't want it created....
tested on landfill, without the patch |perl5.00503 -wT ./duplicates.cgi| gives
errors, with the patch its fine
Comment on attachment 78856 [details] [diff] [review]
v2

I can't test this patch on 5.0x, but it works on 5.6, and I'll trust bbaetz
that it fixes the problem in landfill. r=myk
Attachment #78856 - Flags: review+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: