Closed Bug 161402 Opened 22 years ago Closed 22 years ago

Disable DBI taint mode in processmail

Categories

(Bugzilla :: Email Notifications, defect, P1)

Product:
Bugzilla
Component:
Email Notifications
Version:
2.17
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: bbaetz, Assigned: bbaetz)

Details

Attachments

(1 file)

v1
680 bytes, patch
bugreport
: review+
bbaetz
: review+
Details | Diff | Splinter Review 
DBI has a taint setting, where data coming into DBI is checked, and data going
out is marked as tainted. This is enabled in processmail only.

We already manually check data going into the db. Stuff coming from the db is a
problem, because:

a) this is only done in processmail
b) its useless

Seriously, we have to trust what comes out of the database - theres really no
point if we don't. And adding trick_taint calls to every single db query strikes
me as a useless waste of time.

So I'd like to remove the stuff from processmail.

Comments?
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.18
I agree.
Agreed.  do it.  I like the manual taint checking on SendSQL that you came up
with better anyway. :-)  (and the DBI docs say the taint mode is subject to
change anyhow)
Sounds good to me.

Bradley: I'm going to roll this change into the uber patch for bug 124174, which
we talked about my taking over to push it through review and checkin on IRC.
This is, of course, assuming that the situation is still the same as it was when
we had that conversation (i.e. you're free time availability is low, you're
gone, etc.)

That's a high priority bug for me right now, what with *my* free time availability.
I might do this separately, simply because this will allow me to remove some
ugly stuff for bug 43600. Its one line + comments, so it won't take that much
time...

(Plus a mail to the DBI list asknig for taintin and taintout to be separated)
Attached patch v1Splinter Review 
This is the quick patch. Removing unneeded taint stuff can happen later, when
processmail is package-ised.
-> me
Assignee: preed → bbaetz
Keywords: patch, review
Comment on attachment 94601 [details] [diff] [review]
v1


Gets r= from Joel.  No 2xr needed.
Attachment #94601 - Flags: review+
Comment on attachment 94601 [details] [diff] [review]
v1

Apparently, 'no 2xr needed'  is being done by checking both boxes.
Attachment #94601 - Flags: review+
Checked in.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: