Insecure dependency in require while running with -T switch at Bugzilla/Auth.pm

RESOLVED FIXED in Bugzilla 2.18

Status

()

defect
P1
blocker
RESOLVED FIXED
16 years ago
7 years ago

People

(Reporter: justdave, Assigned: justdave)

Tracking

2.17.4
Bugzilla 2.18
Dependency tree / graph
Bug Flags:
approval +

Details

Attachments

(1 attachment)

bugzilla-tip perl 5.6.0 is burning.

Error is:

Insecure dependency in require while running with -T switch at Bugzilla/Auth.pm
line 32.
Posted patch PatchSplinter Review
This patch makes the error go away.  It resolves it by detainting the auth
module name.  The fact that it's tainted to begin with indicates we may have a
problem somewhere else, so this probably isn't the best way to fix it.

FWIW, this error ONLY ocurrs if you don't have a data/params file (which is the
case when running in Tinderbox conditions), so it may be a problem with how it
falls back on defaults under compile-only conditions.
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.18
Flags: approval?
I still don't like this, but it'll do for now.
Assignee: bbaetz → justdave
Flags: approval? → approval+
Checking in Auth.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth.pm,v  <--  Auth.pm
new revision: 1.2; previous revision: 1.1
done
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
I really don't like the 'compile-only' stuff tinderbox does, but.....

Its 5.6.0 only, so its hard to debug, but may be related to the way we load in
defparams.
Err, hang on. You can't include . in the list of valid characters. Since you
don't include / or \, I guess you could allow it as log as its not . or .., but
I don't think . is useful in a name for a module anyway.
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.