Closed Bug 177828 Opened 17 years ago Closed 16 years ago

Taint warning from post_bug with perl 5.8

Categories

(Bugzilla :: Creating/Changing Bugs, defect, major)

x86
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: bbaetz, Assigned: myk)

References

Details

(Whiteboard: [fixed in 2.16.4] [does not affect trunk])

Attachments

(1 file)

As reported on npm.webtools, when submitting a new bug using perl 5.8, we get a
taint warning because the multi-arg form for exec considers having tainted
arguments as deprecated.

We already check the values in the cc field + so on for validity, as does
processmail, so I don't think its a security issue. 

It is something which we should fix, though. For the old system, that would
havebeen a trick_taint in the loop. Not sure if we can use a similar solution
with match_email, but we probably can.
One other comment... it seems that Netscape web servers redirect CGI stderr to
the same location as stdout, therefore this warning causes the web server to
return a "Server Error" page (although all work done by the CGI completes
correctly).

I know that you're recommended web svr is Apache, so I'm not sure how much
differences this makes, but anyway...
If that web bserver behaves that way, you're going to have _lots_ more problems
- Bugzilla code is not warning fre, although we do fix them as we notice them. I
suggest looking at your documentation and trying to fix that.
Is this fixed? We don't run processmail any more...

I can't prop this, but I can't repro it on 2.16, and I know I did before I filed
this bug. Maybe I'm missing something...
If the problem was the exec/open() call to do the proessmail-ing, I don't see
why it wouldn't be...
Yeah, I think that this got fixed when mail got redone.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 2.18
*** Bug 215772 has been marked as a duplicate of this bug. ***
Is there a work-around for this problem for people running 2.16.3 with perl 5.8.0?
For what it's worth, I'm running 2.16.3 on a RedHat 9 system with Perl 5.8.0. 
You can reproduce this problem under 2.16.3 by creating a new bug with at least
one person in the CC list.  If I create a bug and add myself to the CC list, I
get the taint message: 

Insecure dependency in exec while running with -T switch at
/var/www/intranet/bugzilla/post_bug.cgi line 303.

I made two quick (and unsafe) attempts at coming up with a workaround:

map { m/^(.*)$/s; $_ = $1 } @ARGLIST;

and putting the call to processmail in a block with local ${^TAINT} = 0. 
Neither of these worked.  (Even so, these taint-defeating workarounds would not
be appropriate if the perl message is legitimate....)
*** Bug 217614 has been marked as a duplicate of this bug. ***
I can reproduce this on landfill/bugzilla-2.16, following the steps to reproduce
given in comment #8.

Insecure dependency in exec while running with -T switch at
        /var/www/html/bugzilla-2.16/post_bug.cgi line 303 (#1)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [wanted for 2.16.4] [does not affect trunk]
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Given that this is a functionality loss, we should really fix this for 2.16.4.
Attached patch Patch v1Splinter Review
This seems to do the trick...
Attachment #130543 - Flags: review?(bbaetz) → review+
Checking in post_bug.cgi;
/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v  <--  post_bug.cgi
new revision: 1.52.2.7; previous revision: 1.52.2.6
done
Status: REOPENED → RESOLVED
Closed: 17 years ago16 years ago
Flags: approval+
Resolution: --- → FIXED
Whiteboard: [wanted for 2.16.4] [does not affect trunk] → [fixed in 2.16.4] [does not affect trunk]
I haven't verified this, but one of my users reports that, even with this patch,
the problem also occurs when you REMOVE people from CC.  I will investigate if I
have time.  If my findings agree, I'll reopen this bug.  Hopefully someone else
will beat me to it and fix the problem. :-)
Excellent.  Dave: I really appreciate your posting a comment letting me (and
anyone else watching this) know!
*** Bug 224761 has been marked as a duplicate of this bug. ***
*** Bug 225722 has been marked as a duplicate of this bug. ***
*** Bug 232230 has been marked as a duplicate of this bug. ***
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.