Closed
Bug 155861
Opened 23 years ago
Closed 23 years ago
showdependancygraph.cgi fails taint check with local dot installation
Categories
(Bugzilla :: Reporting/Charting, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: carl, Assigned: bbaetz)
Details
Attachments
(1 file)
3.69 KB,
patch
|
gerv
:
review+
myk
:
review+
|
Details | Diff | Splinter Review |
Trying to show the dependancy graph using a locally installed version of dot
causes perl to throw a taint "insecure dependancy in showdependancygraph.cgi at
line 192" error.
This line is;
foreach my $f (glob("data/webdot/*.dot
data/webdot/*.png
data/webdot/*.map"))
There is a "trick_taint" further down in the loop which I guess is supposed to
stop this, but it seems to be the glob that is causing it.
I've got it working by replacing the above 3 lines with the following 4;
opendir(DIR, "data/webdot/");
my @taintf = grep { /\.dot$|\.png$|\.map$/ } readdir(DIR);
closedir(DIR);
foreach my $f (@taintf)
I'm not 100% sure the regex is right, but it seems to work now and the graph is
generated. I'll have to wait a few days to so to see if it is deleting old graphs.
This is in Bugzilla v2.16RC2 running under FreeBSD 4.3-STABLE with Perl 5.005_03.
Assignee | ||
Comment 1•23 years ago
|
||
-> 2.16
just calling glob('*.foo') is insecure in 5.0055, because it uses csh to do the
expansion - 5.8.0RC2 adds to teh perlsec man page:
# In Perl releases older than 5.6.0 the <*.c> and glob('*.c') would
# have used an external program to do the filename expansion; but in
# either case the result is tainted since the list of filenames comes
# from outside of the program.
We need to use readidr, but when deleteing, we also need to prepend 'data/graphs'
-> 2.16
Target Milestone: --- → Bugzilla 2.16
Reporter | ||
Comment 2•23 years ago
|
||
oops missed that.
So we need to add something like this;
my $pathf = "data/webdot/" . $f;
if (ModTime($pathf) < $since) {
unlink $pathf;
}
at line 209.
Assignee | ||
Comment 3•23 years ago
|
||
Before I could test this I needed to get the perms set right. This changes
checksetup.pl to do that.
I don't have access to a perl5.005 system to test this on, since landfill is
down.
Assignee | ||
Comment 4•23 years ago
|
||
-> patch author (me)
Comment 5•23 years ago
|
||
Comment on attachment 90452 [details] [diff] [review]
v1
r=gerv.
Gerv
Attachment #90452 -
Flags: review+
Comment 6•23 years ago
|
||
Comment on attachment 90452 [details] [diff] [review]
v1
Works, looks-good. r=myk
Am I right in thinking that mimedump-tmp is used only by contrib scripts and
shouldn't be created by checksetup.pl (and that's why you removed its creation
from the script)?
Attachment #90452 -
Flags: review+
Assignee | ||
Comment 7•23 years ago
|
||
I grepped for uses of that dir, but forgot to grep contrib. I've left that line
in, but because of bug 156568 its never actually run, anyway.
I don't have a perl 5.005 bz installation, but I did test this snippit on
solaris 5.005_02 without problems
Checked into trunk + branch
Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl
new revision: 1.160; previous revision: 1.159
done
Checking in showdependencygraph.cgi;
/cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v <--
showdependencygraph.cgi
new revision: 1.20; previous revision: 1.19
done
Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl
new revision: 1.149.2.8; previous revision: 1.149.2.7
done
Checking in showdependencygraph.cgi;
/cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v <--
showdependencygraph.cgi
new revision: 1.18.2.1; previous revision: 1.18
done
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•