Closed
Bug 155861
Opened 22 years ago
Closed 22 years ago
showdependancygraph.cgi fails taint check with local dot installation
Categories
(Bugzilla :: Reporting/Charting, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: carl, Assigned: bbaetz)
Details
Attachments
(1 file)
|
3.69 KB,
patch
|
gerv
:
review+
myk
:
review+
|
Details | Diff | Splinter Review |
Trying to show the dependancy graph using a locally installed version of dot
causes perl to throw a taint "insecure dependancy in showdependancygraph.cgi at
line 192" error.
This line is;
foreach my $f (glob("data/webdot/*.dot
data/webdot/*.png
data/webdot/*.map"))
There is a "trick_taint" further down in the loop which I guess is supposed to
stop this, but it seems to be the glob that is causing it.
I've got it working by replacing the above 3 lines with the following 4;
opendir(DIR, "data/webdot/");
my @taintf = grep { /\.dot$|\.png$|\.map$/ } readdir(DIR);
closedir(DIR);
foreach my $f (@taintf)
I'm not 100% sure the regex is right, but it seems to work now and the graph is
generated. I'll have to wait a few days to so to see if it is deleting old graphs.
This is in Bugzilla v2.16RC2 running under FreeBSD 4.3-STABLE with Perl 5.005_03.
|
Assignee | |
Comment 1•22 years ago
|
||
-> 2.16
just calling glob('*.foo') is insecure in 5.0055, because it uses csh to do the
expansion - 5.8.0RC2 adds to teh perlsec man page:
# In Perl releases older than 5.6.0 the <*.c> and glob('*.c') would
# have used an external program to do the filename expansion; but in
# either case the result is tainted since the list of filenames comes
# from outside of the program.
We need to use readidr, but when deleteing, we also need to prepend 'data/graphs'
-> 2.16Target Milestone: --- → Bugzilla 2.16
|
Reporter | |
Comment 2•22 years ago
|
||
oops missed that.
So we need to add something like this;
my $pathf = "data/webdot/" . $f;
if (ModTime($pathf) < $since) {
unlink $pathf;
}
at line 209.|
|
Assignee | |
Comment 3•22 years ago
|
||
Before I could test this I needed to get the perms set right. This changes checksetup.pl to do that. I don't have access to a perl5.005 system to test this on, since landfill is down.
|
|
Assignee | |
Comment 4•22 years ago
|
||
-> patch author (me)
|
||
Comment 5•22 years ago
|
||
Comment on attachment 90452 [details] [diff] [review] v1 r=gerv. Gerv
Attachment #90452 -
Flags: review+
|
||
Comment 6•22 years ago
|
||
Comment on attachment 90452 [details] [diff] [review] v1 Works, looks-good. r=myk Am I right in thinking that mimedump-tmp is used only by contrib scripts and shouldn't be created by checksetup.pl (and that's why you removed its creation from the script)?
Attachment #90452 -
Flags: review+
|
|
Assignee | |
Comment 7•22 years ago
|
||
I grepped for uses of that dir, but forgot to grep contrib. I've left that line in, but because of bug 156568 its never actually run, anyway. I don't have a perl 5.005 bz installation, but I did test this snippit on solaris 5.005_02 without problems Checked into trunk + branch Checking in checksetup.pl; /cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl new revision: 1.160; previous revision: 1.159 done Checking in showdependencygraph.cgi; /cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v <-- showdependencygraph.cgi new revision: 1.20; previous revision: 1.19 done Checking in checksetup.pl; /cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl new revision: 1.149.2.8; previous revision: 1.149.2.7 done Checking in showdependencygraph.cgi; /cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v <-- showdependencygraph.cgi new revision: 1.18.2.1; previous revision: 1.18 done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•