Closed
Bug 141006
Opened 23 years ago
Closed 21 years ago
edit*.cgis should be run in taint mode
Categories
(Bugzilla :: Administration, task, P2)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: jouni, Assigned: glob)
Details
(Whiteboard: [needed for win32bz])
Attachments
(1 file, 1 obsolete file)
|
3.45 KB,
patch
|
jouni
:
review+
|
Details | Diff | Splinter Review |
Taint mode should be enabled for admin cgis as well. See discussion in bug
140784 - it may be that this is nothing more than adding -T to the shebang
lines, but better test carefully. I guess this is 2.18, then.
|
||
Comment 1•23 years ago
|
||
Most of this will occur when I move most of these files over to my new
administration architecture. (bug #97706).
Assignee: justdave → matty
Severity: enhancement → normal
Priority: -- → P2
QA Contact: matty → jake
Target Milestone: --- → Bugzilla 2.18
|
Reporter | |
Comment 2•23 years ago
|
||
Ok. Matty, when will your new architecture be ready?
I've been running 2.16-slightly-pre-rc1 for several weeks now with all the admin
files in taint mode, and had no problems whatsoever. So if a quick fix for this
is needed, just adding the -Ts to shebang lines will probably be just fine.
|
|
||
Comment 3•23 years ago
|
||
It's already ready, it's just waiting review and checkin once 2.18 opens.
|
||
Comment 4•22 years ago
|
||
According to a discussion on developers@ today
(http://bugzilla.org/cgi-bin/mj_wwwusr?list=developers&brief=on&func=archive-get-part&extra=200305/169),
it looks like this will be necessary for "out of the box" compatibility with Win32.
It seems IIS and taint modes are finicky.
Whiteboard: [needed for win32bz]
|
|
||
Comment 5•22 years ago
|
||
Its a reuiqrement if we run edit* in mod_perl, but thats not gong to happen
before they're rewritten anyway. We can enable mod_perl on a per-script basis.
IIS requires renaming the file to have a different extention, IIRC
|
||
Comment 6•22 years ago
|
||
This works for me
Microsoft Windows 2000 [Version 5.00.2195]
Bugzilla 2.17.4
Perl v5.8.0 built for cygwin-multi-64int
see bug 208521
is '2.16-slightly-pre-rc1' a cvs tag? if so I will check it on monday the 16
|
|
||
Comment 7•22 years ago
|
||
had some new ideas on this...
have IIS load bash to execute the cgi, this way the #! line will be used to run
the file...
have note tested this yet.
more to come.
|
|
Reporter | |
Comment 8•22 years ago
|
||
The overhead of invoking bash at every CGI load is not acceptable on all
systems, not to talk about the problems of requiring bash anyway. Besides, I
don't think it's bash that's relevant - it might well be the Perl application
itself. Thus, the bash solution will probably work well on Cygwin but not on
native Win32 Perl.
Taint mode is good anyway. I wonder how realistic waiting for MattyT's new
admin architecture is - landing that before 2.18 sounds like a pretty tough
goal...
|
|
||
Comment 9•22 years ago
|
||
the only other way for IIS to load script files correctly is to use a dll to
read the first line.
unless perl has an option to allow the
#!/bin/perl -options
take precedence?
|
||
Comment 10•22 years ago
|
||
Active State Perl will not read the first line of the cgi's... "#!/bin/perl -w"
will not activate strict mode. it only works if you say "use strict;" and finaly
if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted
mode this way *g*. realy bad :-). this is special for active state perl. :-)
|
|
||
Comment 11•22 years ago
|
||
regardings my last posting... this is special to Microsoft IIS and Active State
Perl - no matter if 5.6.1 or 5.8
|
||
Comment 12•22 years ago
|
||
Taking Jake's bugs... his Army Reserve unit has been deployed.
QA Contact: jake → justdave
|
|
||
Comment 13•22 years ago
|
||
All 2.18 bugs that haven't been touched in over 60 days and aren't flagged as
blockers are getting pushed out to 2.20
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
|
|
||
Comment 14•22 years ago
|
||
>if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted
>mode this way *g*. realy bad :-). this is special for active state perl.
That's just because IIS is using perl.exe to run the file and you need to tell
it sooner than that about the taint.
If you change the script mapping in IIS from:
<full path to perl.exe>\perl.exe "%s" %s
to:
<full path to perl.exe>\perl.exe -t "%s" %s
Then you shouldn't get the error, and it should still be in taint mode (in
fact, everything should be in taint mode that way).
|
|
||
Comment 15•22 years ago
|
||
Fat fingers... make that:
<full path to perl.exe>\perl.exe -T "%s" %s
|
|
||
Updated•21 years ago
|
|
|
||
Comment 16•21 years ago
|
||
I think I'd like to ship the 2.18rc1 with taint mode enabled on all the files,
whether they're known to work or not.
Most of the taint errors have been found already by the Windows folks (because
they don't get a choice - see dependencies), and I'm sure we'll shake out the
rest during RC. Fixing taint errors will certainly be worth adding to a stable
release if we miss a few, too.
Flags: blocking2.18+
Target Milestone: Bugzilla 2.20 → Bugzilla 2.18
|
Assignee | |
Comment 17•21 years ago
|
||
|
|
Reporter | |
Comment 18•21 years ago
|
||
Comment on attachment 149022 [details] [diff] [review]
enable taint mode on edit*.cgi
You must also edit t/002goodperl.t to remove the edit* exception. And please do
check if testing suite runs properly thereafter.
Attachment #149022 -
Flags: review-
|
|
Assignee | |
Comment 19•21 years ago
|
||
Attachment #149022 -
Attachment is obsolete: true
Attachment #149038 -
Flags: review?
|
|
Reporter | |
Comment 20•21 years ago
|
||
Comment on attachment 149038 [details] [diff] [review]
enable taint mode on edit*.cgi
r=jouni
This may conflict with some of the individual taint fixes going on in other
bugs (bug 208847 comes to mind) changing the shebang line, but those are
trivial.
Attachment #149038 -
Flags: review? → review+
|
|
Reporter | |
Comment 21•21 years ago
|
||
Dave, do you want a new meta bug filed for taint issues, or shall we just nuke
the dependencies for this?
Flags: approval?
|
|
||
Comment 22•21 years ago
|
||
hmm, we can nuke the dependencies I suppose. taint is an easy enough keyword to
search for.
|
|
Reporter | |
Comment 23•21 years ago
|
||
Checked in. Bypassed the conflict from editgroups.cgi already having -T added
(bug 208847 I just checked in). I'll post in webtools alerting people about
possible issues.
Checking in editcomponents.cgi;
/cvsroot/mozilla/webtools/bugzilla/editcomponents.cgi,v <-- editcomponents.cgi
new revision: 1.40; previous revision: 1.39
done
Checking in editmilestones.cgi;
/cvsroot/mozilla/webtools/bugzilla/editmilestones.cgi,v <-- editmilestones.cgi
new revision: 1.21; previous revision: 1.20
done
Checking in editparams.cgi;
/cvsroot/mozilla/webtools/bugzilla/editparams.cgi,v <-- editparams.cgi
new revision: 1.22; previous revision: 1.21
done
Checking in editproducts.cgi;
/cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v <-- editproducts.cgi
new revision: 1.49; previous revision: 1.48
done
Checking in editusers.cgi;
/cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v <-- editusers.cgi
new revision: 1.56; previous revision: 1.55
done
Checking in editversions.cgi;
/cvsroot/mozilla/webtools/bugzilla/editversions.cgi,v <-- editversions.cgi
new revision: 1.22; previous revision: 1.21
done
Checking in t/002goodperl.t;
/cvsroot/mozilla/webtools/bugzilla/t/002goodperl.t,v <-- 002goodperl.t
new revision: 1.13; previous revision: 1.12
done
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
QA Contact: justdave → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•