Debian Bug report logs - #406205
libfile-find-rule-perl: Taint mode fails

version graph

Package: libfile-find-rule-perl; Maintainer for libfile-find-rule-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libfile-find-rule-perl is src:libfile-find-rule-perl.

Reported by: Wolfgang Schemmel <bugs@dodgeit.com>

Date: Tue, 9 Jan 2007 15:48:26 UTC

Severity: minor

Tags: fixed-upstream, patch, upstream

Found in version libfile-find-rule-perl/0.30-2

Fixed in version 0.32-1

Done: gregor herrmann <gregoa@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://rt.cpan.org/Public/Bug/Display.html?id=20418

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#406205; Package libfile-find-rule-perl. Full text and rfc822 format available.

Acknowledgement sent to Wolfgang Schemmel <bugs@dodgeit.com>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Wolfgang Schemmel <bugs@dodgeit.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libfile-find-rule-perl: Taint mode fails
Date: Tue, 09 Jan 2007 16:17:38 +0100
Package: libfile-find-rule-perl
Version: 0.30-2
Severity: important
Tags: patch


On etch, the taint mode won't work:

$ perl -MFile::Find::Rule -Tle '$rule=File::Find::Rule->new->extras({ untaint => 1 })->start($ARGV[0]); while ($f = $rule->match ) { print $f; }' .
Insecure dependency in chdir while running with -T switch at /usr/share/perl5/File/Find/Rule.pm line 591.

This _will_ render alls scripts, program and applications
using taint mode and this module unusable.

The bug is listed at CPAN for about 2 months now:
http://rt.cpan.org/Public/Bug/Display.html?id=20418
However, the untainting in that patch is just a slob job.
Mine does real untainting.


Patch (taken from working version 0.28 from sarge):
--- Rule.pm.030 2007-01-09 16:10:53.000000000 +0100
+++ Rule.pm.030.fixed   2007-01-09 16:10:53.000000000 +0100
@@ -575,6 +575,12 @@

     my $sub = eval "$code" or die "compile error '$code' $@";
     my $cwd = getcwd;
+    # Untaint it
+    if ( $cwd =~ qr|^([-+@\w./]+)$| ) {
+        $cwd = $1;
+    } else {
+        die "Couldn't untaint \$cwd: [$cwd]";
+    }
     for my $path (@_) {
         # $topdir is used for relative and maxdepth
         $topdir = $path;


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (700, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-15)

Versions of packages libfile-find-rule-perl depends on:
ii  libnumber-compare-perl        0.01-4     Perform numeric comparisons in Per
ii  libtext-glob-perl             0.07-1     Match globbing patterns against te
ii  perl                          5.8.8-7    Larry Wall's Practical Extraction 
ii  perl-modules                  5.8.8-7    Core Perl modules

libfile-find-rule-perl recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#406205; Package libfile-find-rule-perl. Full text and rfc822 format available.

Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 406205@bugs.debian.org (full text, mbox):

From: Gunnar Wolf <gwolf@gwolf.org>
To: Wolfgang Schemmel <bugs@dodgeit.com>, 406205@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#406205: libfile-find-rule-perl: Taint mode fails
Date: Tue, 9 Jan 2007 17:50:47 -0600
tag 406205 + upstream
severity 406205 minor
thanks

Wolfgang Schemmel dijo [Tue, Jan 09, 2007 at 04:17:38PM +0100]:
> On etch, the taint mode won't work:
> 
> $ perl -MFile::Find::Rule -Tle '$rule=File::Find::Rule->new->extras({ untaint => 1 })->start($ARGV[0]); while ($f = $rule->match ) { print $f; }' .
> Insecure dependency in chdir while running with -T switch at /usr/share/perl5/File/Find/Rule.pm line 591.
> 
> This _will_ render alls scripts, program and applications
> using taint mode and this module unusable.
> 
> The bug is listed at CPAN for about 2 months now:
> http://rt.cpan.org/Public/Bug/Display.html?id=20418
> However, the untainting in that patch is just a slob job.
> Mine does real untainting.

Umh... I'm not sure I like this. I think the taint mode _is_ working
correctly here - You are getting information from outside your
program's direct control (the result of getcwd), and that perfectly
qualifies as tainting. And, although you include a check against a
regular expression, AFAICT it's a pretty arbitrary one:

>      my $cwd = getcwd;
> +    # Untaint it
> +    if ( $cwd =~ qr|^([-+@\w./]+)$| ) {
> +        $cwd = $1;
> +    } else {
> +        die "Couldn't untaint \$cwd: [$cwd]";
> +    }

Many users (although it's against the Unix culture) use spaces inside
files and directories (i.e. many of my users have their "My Documents"
Windows directory backed up in my server). Or filenames with all kinds
of diacritical marks on them, which would fail your test. But still,
you are not untainting the information - you are just giving a
hopefully correct pattern, still subject to containing wrong
information.

If anything, I would recommend changing the module's behaviour in a
way that the user should specify that he _knows_ some taintedness will
enter this way (although very probably benign, system-generated
taintedness), i.e., invoking this way (for the documentation's first
example):

my @subdirs = File::Find::Rule->directory(untaint=>1)->in( $directory );

PS- I'm following up this report to the upstream bug you mentioned, as
it belongs to upstream development and not in Debian.

Greetings,

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF



Tags added: upstream Request was from Gunnar Wolf <gwolf@gwolf.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `minor' from `important' Request was from Gunnar Wolf <gwolf@gwolf.org> to control@bugs.debian.org. Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to http://rt.cpan.org/Public/Bug/Display.html?id=20418. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (Sun, 12 Aug 2007 01:15:02 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 30 Nov 2009 17:09:29 GMT) Full text and rfc822 format available.

Reply sent to gregor herrmann <gregoa@debian.org>:
You have taken responsibility. (Tue, 20 Sep 2011 15:36:03 GMT) Full text and rfc822 format available.

Notification sent to Wolfgang Schemmel <bugs@dodgeit.com>:
Bug acknowledged by developer. (Tue, 20 Sep 2011 15:36:05 GMT) Full text and rfc822 format available.

Message #23 received at 406205-done@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: 406205-done@bugs.debian.org
Subject: Re: Bug#406205: libfile-find-rule-perl: Taint mode fails
Date: Tue, 20 Sep 2011 17:33:42 +0200
[Message part 1 (text/plain, inline)]
Version: 0.32-1

On Tue, 09 Jan 2007 17:50:47 -0600, Gunnar Wolf wrote:

> PS- I'm following up this report to the upstream bug you mentioned, as
> it belongs to upstream development and not in Debian.

According to the upstream bug report at
https://rt.cpan.org/Public/Bug/Display.html?id=20418
this is fixed since 0.31.

Closing this bug accordingly (with 0.32-1 which seems to be the first
upload afterwards.)

Cheers,
gregor
 
-- 
 .''`.   Homepage: http://info.comodo.priv.at/ - PGP/GPG key ID: 0x8649AA06
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Rigmor Gustafsson: Makin' Whoopee
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 19 Oct 2011 07:32:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:02:54 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.