Closed Bug 221977 Opened 21 years ago Closed 21 years ago

Insecure dependency in require while running with -T switch at Bugzilla/Auth.pm

Categories

(Bugzilla :: Installation & Upgrading, defect, P1)

2.17.4
defect

Tracking

()

RESOLVED FIXED
Bugzilla 2.18

People

(Reporter: justdave, Assigned: justdave)

References

Details

Attachments

(1 file)

bugzilla-tip perl 5.6.0 is burning. Error is: Insecure dependency in require while running with -T switch at Bugzilla/Auth.pm line 32.
Attached patch PatchSplinter Review
This patch makes the error go away. It resolves it by detainting the auth module name. The fact that it's tainted to begin with indicates we may have a problem somewhere else, so this probably isn't the best way to fix it. FWIW, this error ONLY ocurrs if you don't have a data/params file (which is the case when running in Tinderbox conditions), so it may be a problem with how it falls back on defaults under compile-only conditions.
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.18
Comment on attachment 133169 [details] [diff] [review] Patch r=gerv. Gerv
Attachment #133169 - Flags: review+
Flags: approval?
I still don't like this, but it'll do for now.
Assignee: bbaetz → justdave
Flags: approval? → approval+
Checking in Auth.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth.pm,v <-- Auth.pm new revision: 1.2; previous revision: 1.1 done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
I really don't like the 'compile-only' stuff tinderbox does, but..... Its 5.6.0 only, so its hard to debug, but may be related to the way we load in defparams.
Err, hang on. You can't include . in the list of valid characters. Since you don't include / or \, I guess you could allow it as log as its not . or .., but I don't think . is useful in a name for a module anyway.
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: