blob: e05a59879d7b32a508ecb212fde35652a6c3df7a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Built from 2.1.17 source, works fine on commandline, but not working from CGI wrapper. Traced problem to regular expressions failing to match, specifically in contexts like the following in Render.pm:
my ($f)=/$config{wiki_file_regexp}/; # untaint
It works if I replace it with:
my ($f)=/(^[-[:alnum:]_.:\/+]+$)/; # untaint
which is exactly the same regular expression drawn out as a constant. It appears that %config gets some tainted data and is itself being marked entirely tainted, which may prevent using regular expressions contained in it for untainting other data. I'm using Perl 5.8.8.
> How could `%config` possible get tainted? That would be a major security
> hole. It seems more likely that perl containes to have taint flag bugs
> even in 5.8. See also: [[prune_causing_taint_mode_failures]],
> [[Insecure_dependency_in_mkdir]],
> [[Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn]],
> and especially [[debbug 411786]]
>
> The last of those was the last straw for me, and I disabled taint
> checking in the debian package. You can do the same by building ikiwiki
> with NOTAINT=1. :-( --[[Joey]]
[[tag done]]
|