Closed Bug 141006 Opened 19 years ago Closed 17 years ago

edit*.cgis should be run in taint mode


(Bugzilla :: Administration, task, P2)




Bugzilla 2.18


(Reporter: jouni, Assigned: glob)


(Whiteboard: [needed for win32bz])


(1 file, 1 obsolete file)

Taint mode should be enabled for admin cgis as well. See discussion in bug
140784 - it may be that this is nothing more than adding -T to the shebang
lines, but better test carefully. I guess this is 2.18, then.
Most of this will occur when I move most of these files over to my new
administration architecture. (bug #97706).
Assignee: justdave → matty
Severity: enhancement → normal
Priority: -- → P2
QA Contact: matty → jake
Target Milestone: --- → Bugzilla 2.18
Ok. Matty, when will your new architecture be ready?

I've been running 2.16-slightly-pre-rc1 for several weeks now with all the admin
files in taint mode, and had no problems whatsoever. So if a quick fix for this
is needed, just adding the -Ts to shebang lines will probably be just fine.
It's already ready, it's just waiting review and checkin once 2.18 opens.
According to a discussion on developers@ today
it looks like this will be necessary for "out of the box" compatibility with Win32.

It seems IIS and taint modes are finicky.
Whiteboard: [needed for win32bz]
Its a reuiqrement if we run edit* in mod_perl, but thats not gong to happen
before they're rewritten anyway. We can enable mod_perl on a per-script basis.
IIS requires renaming the file to have a different extention, IIRC
This works for me
Microsoft Windows 2000 [Version 5.00.2195]
Bugzilla 2.17.4
Perl v5.8.0 built for cygwin-multi-64int

 see bug 208521

is '2.16-slightly-pre-rc1' a cvs tag? if so I will check it on monday the 16

had some new ideas on this...

have IIS load bash to execute the cgi, this way the #! line will be used to run 
the file...

have note tested this yet.

more to come.
The overhead of invoking bash at every CGI load is not acceptable on all 
systems, not to talk about the problems of requiring bash anyway. Besides, I 
don't think it's bash that's relevant - it might well be the Perl application 
itself. Thus, the bash solution will probably work well on Cygwin but not on 
native Win32 Perl.

Taint mode is good anyway. I wonder how realistic waiting for MattyT's new 
admin architecture is - landing that before 2.18 sounds like a pretty tough 
the only other way for IIS to load script files correctly is to use a dll to 
read the first line.

unless perl has an option to allow the 

#!/bin/perl -options 

take precedence?

Active State Perl will not read the first line of the cgi's... "#!/bin/perl -w"
will not activate strict mode. it only works if you say "use strict;" and finaly
if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted
mode this way *g*. realy bad :-). this is special for active state perl. :-)

regardings my last posting... this is special to Microsoft IIS and Active State
Perl - no matter if 5.6.1 or 5.8
Taking Jake's bugs...  his Army Reserve unit has been deployed.
QA Contact: jake → justdave
All 2.18 bugs that haven't been touched in over 60 days and aren't flagged as
blockers are getting pushed out to 2.20
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
>if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted
>mode this way *g*. realy bad :-). this is special for active state perl.

That's just because IIS is using perl.exe to run the file and you need to tell
it sooner than that about the taint.

If you change the script mapping in IIS from:

  <full path to perl.exe>\perl.exe "%s" %s


  <full path to perl.exe>\perl.exe -t "%s" %s

Then you shouldn't get the error, and it should still be in taint mode (in 
fact, everything should be in taint mode that way).

Fat fingers... make that:

<full path to perl.exe>\perl.exe -T "%s" %s

I think I'd like to ship the 2.18rc1 with taint mode enabled on all the files,
whether they're known to work or not.

Most of the taint errors have been found already by the Windows folks (because
they don't get a choice - see dependencies), and I'm sure we'll shake out the
rest during RC.  Fixing taint errors will certainly be worth adding to a stable
release if we miss a few, too.
Flags: blocking2.18+
Target Milestone: Bugzilla 2.20 → Bugzilla 2.18
Attached patch enable taint mode on edit*.cgi (obsolete) β€” β€” Splinter Review
Assignee: mattyt-bugzilla → bugzilla
Comment on attachment 149022 [details] [diff] [review]
enable taint mode on edit*.cgi

You must also edit t/002goodperl.t to remove the edit* exception. And please do
check if testing suite runs properly thereafter.
Attachment #149022 - Flags: review-
Attachment #149022 - Attachment is obsolete: true
Attachment #149038 - Flags: review?
Comment on attachment 149038 [details] [diff] [review]
enable taint mode on edit*.cgi


This may conflict with some of the individual taint fixes going on in other
bugs (bug 208847 comes to mind) changing the shebang line, but those are
Attachment #149038 - Flags: review? → review+
Dave, do you want a new meta bug filed for taint issues, or shall we just nuke
the dependencies for this?
Flags: approval?
hmm, we can nuke the dependencies I suppose.  taint is an easy enough keyword to
search for.
No longer depends on: 208847, 224021, 224126, 242405
Flags: approval? → approval+
Checked in. Bypassed the conflict from editgroups.cgi already having -T added
(bug 208847 I just checked in). I'll post in webtools alerting people about
possible issues.

Checking in editcomponents.cgi;
/cvsroot/mozilla/webtools/bugzilla/editcomponents.cgi,v  <--  editcomponents.cgi
new revision: 1.40; previous revision: 1.39
Checking in editmilestones.cgi;
/cvsroot/mozilla/webtools/bugzilla/editmilestones.cgi,v  <--  editmilestones.cgi
new revision: 1.21; previous revision: 1.20
Checking in editparams.cgi;
/cvsroot/mozilla/webtools/bugzilla/editparams.cgi,v  <--  editparams.cgi
new revision: 1.22; previous revision: 1.21
Checking in editproducts.cgi;
/cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v  <--  editproducts.cgi
new revision: 1.49; previous revision: 1.48
Checking in editusers.cgi;
/cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v  <--  editusers.cgi
new revision: 1.56; previous revision: 1.55
Checking in editversions.cgi;
/cvsroot/mozilla/webtools/bugzilla/editversions.cgi,v  <--  editversions.cgi
new revision: 1.22; previous revision: 1.21
Checking in t/002goodperl.t;
/cvsroot/mozilla/webtools/bugzilla/t/002goodperl.t,v  <--  002goodperl.t
new revision: 1.13; previous revision: 1.12
Closed: 17 years ago
Resolution: --- → FIXED
QA Contact: justdave → default-qa
You need to log in before you can comment on or make changes to this bug.