Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 17 May 2003 22:25:50 -0000
From:      "Vladimir I. Chukharev" <chu@gpi.ru>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        freebsd-cvsweb@freebsd.org
Subject:   [patch] devel/cvsweb and perl5.8
Message-ID:  <200305172225.h4HMPgmY013329@svak.h33.erkki.ton.tut.fi>
next in thread | raw e-mail | index | archive | help 

>Submitter-Id:	current-users
>Originator:	Vladimir I. Chukharev
>Organization:	
>Confidential:	no 
>Synopsis:	[patch] devel/cvsweb and perl5.8
>Severity:	non-critical
>Priority:	low
>Category:	ports
>Class:		change-request
>Release:	FreeBSD 4.8-STABLE i386
>Environment:
System: FreeBSD svak.h33.erkki.ton.tut.fi 4.8-STABLE FreeBSD 4.8-STABLE #3: Sun Apr 27 18:20:15 EEST 2003 root@svak.h33.erkki.ton.tut.fi:/usr/obj/usr/src/sys/SVAK i386

ports/devel/cvsweb

>Description:

I found this when installing cvsweb on RedHat-8 with perl5.8, but I guess 
it is the same everywhere. 
Patched version works on FreeBSD 4.8-STABLE fine.

In newer versions of perl the taint checks are a bit more strict. It warns
that parameters to exec() are tainted. The patch apply some simplistic
sanity check to one parameter and just silents perl about the other
parameter (full pathname). 

Perhaps the RE in lines with 'FIX ME ?' should be corrected.
And should 'die' be just 'exit(-1)'?

>How-To-Repeat:

Run cvsweb.cgi on a system with perl5.8, e.g. Linux RedHat 8.0 :^)
You will see in the error logs of httpd something similar to

[Tue May 13 17:05:17 2003] [error] [client xxx.yyy.40.12] Use of tainted arguments in exec is deprecated at cvsweb.pl line 2339., referer:RRRR


>Fix:

--- cvsweb.cgi.patch begins here ---
--- cvsweb.cgi.orig	Sat May 17 23:51:48 2003
+++ cvsweb.cgi	Sat May 17 23:51:42 2003
@@ -2331,6 +2331,16 @@
 
 	print("Going to rlog '$fullname'\n") if ($verbose);
 	if (!open($fh, "-|")) {    # child
+        	if ($revision =~ /^([-\@\w.]*)$/) {# FIX ME ?
+        	    $revision = $1;                # $revision now untainted
+        	} else {
+        	    die "Bad data in $revision";   # log this somewhere
+        	}
+        	if ($fullname =~ /^(.*)$/) {	   # FIX ME ? just silence taint check
+        	    $fullname = $1;                # $fullname now untainted
+        	} else {
+        	    die "Bad data in $fullname";   # log this somewhere
+        	}
 		if ($revision ne '') {
 			openOutputFilter();
 			exec($CMD{rlog}, $revision, $fullname) or exit -1;
--- cvsweb.cgi.patch ends here ---

V.Chukharev

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305172225.h4HMPgmY013329>