Taint mode should be enabled for admin cgis as well. See discussion in bug 140784 - it may be that this is nothing more than adding -T to the shebang lines, but better test carefully. I guess this is 2.18, then.
Most of this will occur when I move most of these files over to my new administration architecture. (bug #97706).
Assignee: justdave → matty
Severity: enhancement → normal
Priority: -- → P2
QA Contact: matty → jake
Target Milestone: --- → Bugzilla 2.18
Ok. Matty, when will your new architecture be ready? I've been running 2.16-slightly-pre-rc1 for several weeks now with all the admin files in taint mode, and had no problems whatsoever. So if a quick fix for this is needed, just adding the -Ts to shebang lines will probably be just fine.
It's already ready, it's just waiting review and checkin once 2.18 opens.
According to a discussion on developers@ today (http://bugzilla.org/cgi-bin/mj_wwwusr?list=developers&brief=on&func=archive-get-part&extra=200305/169), it looks like this will be necessary for "out of the box" compatibility with Win32. It seems IIS and taint modes are finicky.
Whiteboard: [needed for win32bz]
Its a reuiqrement if we run edit* in mod_perl, but thats not gong to happen before they're rewritten anyway. We can enable mod_perl on a per-script basis. IIS requires renaming the file to have a different extention, IIRC
This works for me Microsoft Windows 2000 [Version 5.00.2195] Bugzilla 2.17.4 Perl v5.8.0 built for cygwin-multi-64int see bug 208521 is '2.16-slightly-pre-rc1' a cvs tag? if so I will check it on monday the 16
had some new ideas on this... have IIS load bash to execute the cgi, this way the #! line will be used to run the file... have note tested this yet. more to come.
The overhead of invoking bash at every CGI load is not acceptable on all systems, not to talk about the problems of requiring bash anyway. Besides, I don't think it's bash that's relevant - it might well be the Perl application itself. Thus, the bash solution will probably work well on Cygwin but not on native Win32 Perl. Taint mode is good anyway. I wonder how realistic waiting for MattyT's new admin architecture is - landing that before 2.18 sounds like a pretty tough goal...
the only other way for IIS to load script files correctly is to use a dll to read the first line. unless perl has an option to allow the #!/bin/perl -options take precedence?
Active State Perl will not read the first line of the cgi's... "#!/bin/perl -w" will not activate strict mode. it only works if you say "use strict;" and finaly if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted mode this way *g*. realy bad :-). this is special for active state perl. :-)
regardings my last posting... this is special to Microsoft IIS and Active State Perl - no matter if 5.6.1 or 5.8
Taking Jake's bugs... his Army Reserve unit has been deployed.
QA Contact: jake → justdave
All 2.18 bugs that haven't been touched in over 60 days and aren't flagged as blockers are getting pushed out to 2.20
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
>if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted >mode this way *g*. realy bad :-). this is special for active state perl. That's just because IIS is using perl.exe to run the file and you need to tell it sooner than that about the taint. If you change the script mapping in IIS from: <full path to perl.exe>\perl.exe "%s" %s to: <full path to perl.exe>\perl.exe -t "%s" %s Then you shouldn't get the error, and it should still be in taint mode (in fact, everything should be in taint mode that way).
Fat fingers... make that: <full path to perl.exe>\perl.exe -T "%s" %s
I think I'd like to ship the 2.18rc1 with taint mode enabled on all the files, whether they're known to work or not. Most of the taint errors have been found already by the Windows folks (because they don't get a choice - see dependencies), and I'm sure we'll shake out the rest during RC. Fixing taint errors will certainly be worth adding to a stable release if we miss a few, too.
Target Milestone: Bugzilla 2.20 → Bugzilla 2.18
Comment on attachment 149022 [details] [diff] [review] enable taint mode on edit*.cgi You must also edit t/002goodperl.t to remove the edit* exception. And please do check if testing suite runs properly thereafter.
Attachment #149022 - Flags: review-
Comment on attachment 149038 [details] [diff] [review] enable taint mode on edit*.cgi r=jouni This may conflict with some of the individual taint fixes going on in other bugs (bug 208847 comes to mind) changing the shebang line, but those are trivial.
Attachment #149038 - Flags: review? → review+
Dave, do you want a new meta bug filed for taint issues, or shall we just nuke the dependencies for this?
hmm, we can nuke the dependencies I suppose. taint is an easy enough keyword to search for.
Checked in. Bypassed the conflict from editgroups.cgi already having -T added (bug 208847 I just checked in). I'll post in webtools alerting people about possible issues. Checking in editcomponents.cgi; /cvsroot/mozilla/webtools/bugzilla/editcomponents.cgi,v <-- editcomponents.cgi new revision: 1.40; previous revision: 1.39 done Checking in editmilestones.cgi; /cvsroot/mozilla/webtools/bugzilla/editmilestones.cgi,v <-- editmilestones.cgi new revision: 1.21; previous revision: 1.20 done Checking in editparams.cgi; /cvsroot/mozilla/webtools/bugzilla/editparams.cgi,v <-- editparams.cgi new revision: 1.22; previous revision: 1.21 done Checking in editproducts.cgi; /cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v <-- editproducts.cgi new revision: 1.49; previous revision: 1.48 done Checking in editusers.cgi; /cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v <-- editusers.cgi new revision: 1.56; previous revision: 1.55 done Checking in editversions.cgi; /cvsroot/mozilla/webtools/bugzilla/editversions.cgi,v <-- editversions.cgi new revision: 1.22; previous revision: 1.21 done Checking in t/002goodperl.t; /cvsroot/mozilla/webtools/bugzilla/t/002goodperl.t,v <-- 002goodperl.t new revision: 1.13; previous revision: 1.12 done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.