Closed Bug 155791 Opened 22 years ago Closed 22 years ago

$::FORM is not tainted under perl 5.6.1

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED DUPLICATE of bug 155793

People

(Reporter: bbaetz, Assigned: bbaetz)

References

(
URL
)

Details

While looking into why I didn't see bug 155700, it turns out that perl > 5.6.0
has broken |use taint 're'|, which we use to avoid tainting . I've filed a bug
with a test case - see the URL.

The workarround is to assign a known-tainted value to $item and $value first,
before. The alternate fix is to use split, rather than $1 (like CGI.pm does), or
to avoid using $1, and just assign from the result of the m// directly (which
appears to avoid triggering this bug)

I'll wait to see what the response is before deciding which one to do, but we
should do one of them for 2.16.
Dupe submission because of bug 154036.

myk, can you apply that patch to bmo, please?

*** This bug has been marked as a duplicate of 155793 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.