On Thu, 6 Sep 2001, Stas Bekman wrote: > On Thu, 6 Sep 2001, Gary Benson wrote: > > > > > On 6 Sep 2001 [EMAIL PROTECTED] wrote: > > > > > stas 01/09/05 19:36:44 > > > > > > Modified: perl-framework/Apache-Test/lib/Apache TestConfig.pm > > > TestConfigParse.pm > > > Log: > > > - enable taint mode in tests via PerlSwitches -T > > > - untaint $ENV{PATH} before using open "-|" > > > > [snip] > > > > > diff -u -r1.7 -r1.8 > > > --- TestConfigParse.pm 2001/08/20 15:20:50 1.7 > > > +++ TestConfigParse.pm 2001/09/06 02:36:44 1.8 > > > @@ -220,6 +220,8 @@ > > > > > > my $version; > > > my $cmd = "$httpd -v"; > > > + # untaint > > > + $ENV{PATH} = '/bin:/usr/bin'; > > > open my $v, '-|', $cmd or die "$cmd failed: $!"; > > > > > > local $_; > > > > This breaks on mine even though $httpd is an absolute path at this point. > > You mean if you don't add the patch from above?
>From a clean, current CVS checkout: % cd httpd-test/perl-framework % export PATH=/path/to/httpd-and-apxs:$PATH % perl Makefile.PL % make % t/TEST -start-httpd setting ulimit to allow core files ulimit -c unlimited exec t/TEST -start-httpd cannot build c-modules without apxs no test server configured, please specify an httpd or apxs or put either in your PATH > > I'm not familiar enough with Perl to know why this should be, but is there > > a better way (like $ENV{PATH} = '/bin:/usr/bin' unless $httpd =~ m:^/:;). > > Would that successfully untaint it? > > It's not about being absolute path or not, it's about opening "-|", which > is insecure if $ENV{PATH} is not untainted. I don't really think I understand this line: | open my $v, '-|', $cmd or die "$cmd failed: $!"; As far as I see it, '-|' means perform an explicit fork, with return value of open being child pid in the parent and 0 in the child. From what I see, it looks like you should be doing either of these two: | open my $v, "$httpd|" or die "$cmd failed: $!"; | open my $v, '-|' or exec $httpd or die "$cmd failed: $!"; I'm not saying that your code is _wrong_: I'm saying I don't understand it. I can see what your line does, but now how it does it or why '-|' is insecure. > > I can't tell, since mine doesn't complain about it being tainted at this > > point and I can't figure out a way to make it do so. Why do you need to > > untaint here anyway? Is this something from mod_perl? I'm confused! > > What's your Perl version? perl -v ? v5.6.1 I'm just running it as my UID, so would taint checking happen anyway? Gary [ Gary Benson, Red Hat Europe ][ [EMAIL PROTECTED] ][ GnuPG 60E8793A ]