edit*.cgis should be run in taint mode

RESOLVED FIXED in Bugzilla 2.18

Status

()

task
P2
normal
RESOLVED FIXED
17 years ago
7 years ago

People

(Reporter: jouni, Assigned: glob)

Tracking

2.15
Bugzilla 2.18
Bug Flags:
approval +
blocking2.18 +

Details

(Whiteboard: [needed for win32bz])

Attachments

(1 attachment, 1 obsolete attachment)

Reporter

Description

17 years ago
Taint mode should be enabled for admin cgis as well. See discussion in bug
140784 - it may be that this is nothing more than adding -T to the shebang
lines, but better test carefully. I guess this is 2.18, then.
Most of this will occur when I move most of these files over to my new
administration architecture. (bug #97706).
Assignee: justdave → matty
Severity: enhancement → normal
Priority: -- → P2
QA Contact: matty → jake
Target Milestone: --- → Bugzilla 2.18
Reporter

Comment 2

17 years ago
Ok. Matty, when will your new architecture be ready?

I've been running 2.16-slightly-pre-rc1 for several weeks now with all the admin
files in taint mode, and had no problems whatsoever. So if a quick fix for this
is needed, just adding the -Ts to shebang lines will probably be just fine.
It's already ready, it's just waiting review and checkin once 2.18 opens.
According to a discussion on developers@ today
(http://bugzilla.org/cgi-bin/mj_wwwusr?list=developers&brief=on&func=archive-get-part&extra=200305/169),
it looks like this will be necessary for "out of the box" compatibility with Win32.

It seems IIS and taint modes are finicky.
Whiteboard: [needed for win32bz]
Its a reuiqrement if we run edit* in mod_perl, but thats not gong to happen
before they're rewritten anyway. We can enable mod_perl on a per-script basis.
IIS requires renaming the file to have a different extention, IIRC

Comment 6

16 years ago
This works for me
Microsoft Windows 2000 [Version 5.00.2195]
Bugzilla 2.17.4
Perl v5.8.0 built for cygwin-multi-64int

 see bug 208521

is '2.16-slightly-pre-rc1' a cvs tag? if so I will check it on monday the 16

Comment 7

16 years ago
had some new ideas on this...

have IIS load bash to execute the cgi, this way the #! line will be used to run 
the file...


have note tested this yet.

more to come.
Reporter

Comment 8

16 years ago
The overhead of invoking bash at every CGI load is not acceptable on all 
systems, not to talk about the problems of requiring bash anyway. Besides, I 
don't think it's bash that's relevant - it might well be the Perl application 
itself. Thus, the bash solution will probably work well on Cygwin but not on 
native Win32 Perl.

Taint mode is good anyway. I wonder how realistic waiting for MattyT's new 
admin architecture is - landing that before 2.18 sounds like a pretty tough 
goal...

Comment 9

16 years ago
the only other way for IIS to load script files correctly is to use a dll to 
read the first line.

unless perl has an option to allow the 

#!/bin/perl -options 

take precedence?

Comment 10

16 years ago
Active State Perl will not read the first line of the cgi's... "#!/bin/perl -w"
will not activate strict mode. it only works if you say "use strict;" and finaly
if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted
mode this way *g*. realy bad :-). this is special for active state perl. :-)

Comment 11

16 years ago
regardings my last posting... this is special to Microsoft IIS and Active State
Perl - no matter if 5.6.1 or 5.8
Taking Jake's bugs...  his Army Reserve unit has been deployed.
QA Contact: jake → justdave
All 2.18 bugs that haven't been touched in over 60 days and aren't flagged as
blockers are getting pushed out to 2.20
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20

Comment 14

15 years ago
>if you say "#!/bin/perl -wT" you get a error that you cannot activate tainted
>mode this way *g*. realy bad :-). this is special for active state perl.

That's just because IIS is using perl.exe to run the file and you need to tell
it sooner than that about the taint.

If you change the script mapping in IIS from:

  <full path to perl.exe>\perl.exe "%s" %s

to:

  <full path to perl.exe>\perl.exe -t "%s" %s

Then you shouldn't get the error, and it should still be in taint mode (in 
fact, everything should be in taint mode that way).



Comment 15

15 years ago
Fat fingers... make that:

<full path to perl.exe>\perl.exe -T "%s" %s


I think I'd like to ship the 2.18rc1 with taint mode enabled on all the files,
whether they're known to work or not.

Most of the taint errors have been found already by the Windows folks (because
they don't get a choice - see dependencies), and I'm sure we'll shake out the
rest during RC.  Fixing taint errors will certainly be worth adding to a stable
release if we miss a few, too.
Flags: blocking2.18+
Target Milestone: Bugzilla 2.20 → Bugzilla 2.18
Assignee

Comment 17

15 years ago
Assignee

Updated

15 years ago
Assignee: mattyt-bugzilla → bugzilla
Assignee

Updated

15 years ago
Status: NEW → ASSIGNED
Reporter

Comment 18

15 years ago
Comment on attachment 149022 [details] [diff] [review]
enable taint mode on edit*.cgi

You must also edit t/002goodperl.t to remove the edit* exception. And please do
check if testing suite runs properly thereafter.
Attachment #149022 - Flags: review-
Assignee

Comment 19

15 years ago
Attachment #149022 - Attachment is obsolete: true
Assignee

Updated

15 years ago
Attachment #149038 - Flags: review?
Reporter

Comment 20

15 years ago
Comment on attachment 149038 [details] [diff] [review]
enable taint mode on edit*.cgi

r=jouni

This may conflict with some of the individual taint fixes going on in other
bugs (bug 208847 comes to mind) changing the shebang line, but those are
trivial.
Attachment #149038 - Flags: review? → review+
Reporter

Comment 21

15 years ago
Dave, do you want a new meta bug filed for taint issues, or shall we just nuke
the dependencies for this?
Flags: approval?
hmm, we can nuke the dependencies I suppose.  taint is an easy enough keyword to
search for.
No longer depends on: 208847, 224021, 224126, 242405
Flags: approval? → approval+
Reporter

Comment 23

15 years ago
Checked in. Bypassed the conflict from editgroups.cgi already having -T added
(bug 208847 I just checked in). I'll post in webtools alerting people about
possible issues.

Checking in editcomponents.cgi;
/cvsroot/mozilla/webtools/bugzilla/editcomponents.cgi,v  <--  editcomponents.cgi
new revision: 1.40; previous revision: 1.39
done
Checking in editmilestones.cgi;
/cvsroot/mozilla/webtools/bugzilla/editmilestones.cgi,v  <--  editmilestones.cgi
new revision: 1.21; previous revision: 1.20
done
Checking in editparams.cgi;
/cvsroot/mozilla/webtools/bugzilla/editparams.cgi,v  <--  editparams.cgi
new revision: 1.22; previous revision: 1.21
done
Checking in editproducts.cgi;
/cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v  <--  editproducts.cgi
new revision: 1.49; previous revision: 1.48
done
Checking in editusers.cgi;
/cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v  <--  editusers.cgi
new revision: 1.56; previous revision: 1.55
done
Checking in editversions.cgi;
/cvsroot/mozilla/webtools/bugzilla/editversions.cgi,v  <--  editversions.cgi
new revision: 1.22; previous revision: 1.21
done
Checking in t/002goodperl.t;
/cvsroot/mozilla/webtools/bugzilla/t/002goodperl.t,v  <--  002goodperl.t
new revision: 1.13; previous revision: 1.12
done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
QA Contact: justdave → default-qa
You need to log in before you can comment on or make changes to this bug.