Date: Wed, 25 Jan 2006 07:30:08 GMT From: Lupe Christoph <lupe@lupe-christoph.de> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/91872: p5-Net-Server fails to untaint the executable path Message-ID: <200601250730.k0P7U8o8046373@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/91872; it has been noted by GNATS.
From: Lupe Christoph <lupe@lupe-christoph.de>
To: Vasil Dimov <vd@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/91872: p5-Net-Server fails to untaint the executable path
Date: Wed, 25 Jan 2006 08:23:45 +0100
On Tuesday, 2006-01-24 at 11:03:21 +0200, Vasil Dimov wrote:
> On Mon, Jan 16, 2006 at 04:44:07PM +0100, Lupe Christoph wrote:
> > --- Net-Server.patch begins here ---
> > --- /usr/local/lib/perl5/site_perl/5.8.7/Net/Server.pm.orig Mon Dec 5 22:13:04 2005
> > +++ /usr/local/lib/perl5/site_perl/5.8.7/Net/Server.pm Mon Jan 16 16:26:49 2006
> ...
> Can you please submit a patch that applies to the port, not the
> installed software.
> E.g. /usr/ports/net/p5-Net-Server not /usr/local/lib/perl5/site_perl/5.8.7/
As you wish, master! ;-)
diff -ruN p5-Net-Server.orig/files/patch-Server.pm p5-Net-Server/files/patch-Server.pm
--- p5-Net-Server.orig/files/patch-Server.pm Thu Jan 1 01:00:00 1970
+++ p5-Net-Server/files/patch-Server.pm Wed Jan 25 08:21:13 2006
@@ -0,0 +1,21 @@
+diff -ruN lib/Net/Server.pm lib/Net/Server.pm
+--- lib/Net/Server.pm Mon Dec 5 22:13:04 2005
++++ lib/Net/Server.pm Wed Jan 25 08:18:25 2006
+@@ -133,6 +133,7 @@
+ ### see if we can find the full command line
+ if (open _CMDLINE, "/proc/$$/cmdline") { # unix specific
+ my $line = do { local $/ = undef; <_CMDLINE> };
++ ($line) = $line =~ /^(.*)$/; # untaint
+ close _CMDLINE;
+ if ($line) {
+ return [split /\0/, $line];
+@@ -140,7 +141,8 @@
+ }
+
+ my $script = $0;
+- $script = $ENV{'PWD'} .'/'. $script if $script =~ m|^\.+/| && $ENV{'PWD'}; # add absolute to relative
++ $script = $ENV{'PWD'} .'/'. $script if $script !~ m|^\//| && $ENV{'PWD'}; # add absolute to relative
++ ($script) = $script =~ /^(.*)$/; # untaint
+ return [ $script, @ARGV ]
+ }
+
Lupe Christoph
--
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest |
| bidder. Makes you feel good, doesn't it? |
| Rockhound in "Armageddon", 1998, about the Space Shuttle |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601250730.k0P7U8o8046373>