Skip Menu |
 

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id: 48891
Status: new
Priority: 0/
Queue: Archive-Zip

People
Owner: Nobody in particular
Requestors: gstaana [...] oneil.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



MIME-Version: 1.0
X-Spam-Status: No, hits=0.0 required=8.0 tests=HTML_MESSAGE,SPF_PASS
Content-Class: urn:content-classes:message
X-Virus-Checked: Checked by ClamAV on 16.mx.develooper.com
Message-ID: <B2C547DF42419645804F05B54290755A069DAFAC [...] DAYTONEX.oneilinc.net>
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA21CD.139A0712"
X-MS-Tnef-Correlator:
X-Ironport-Av: E=Sophos;i="4.43,416,1246852800"; d="scan'208,217";a="9701995"
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by diesel.bestpractical.com (Postfix) with SMTP id B7A294D8041 for <bug-Archive-Zip [...] rt.cpan.org>; Thu, 20 Aug 2009 15:33:30 -0400 (EDT)
Received: (qmail 15148 invoked by uid 103); 20 Aug 2009 19:33:30 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 20 Aug 2009 19:33:30 -0000
Received: from ironport.oneil.com (HELO ironport.oneil.com) (66.194.184.36) by 16.mx.develooper.com (qpsmtpd/0.80) with ESMTP; Thu, 20 Aug 2009 12:33:25 -0700
Received: from unknown (HELO DAYTONEX.oneilinc.net) ([192.168.1.150]) by ironport.oneil.com with ESMTP; 20 Aug 2009 15:33:22 -0400
Delivered-To: cpan-bug+Archive-Zip [...] diesel.bestpractical.com
Subject: Bug in Taint mode?
Return-Path: <gstaana [...] oneil.com>
Thread-Index: AcohzRKDSjYC5nvvS6WJ2WTf+4Q03w==
X-Original-To: bug-Archive-Zip [...] rt.cpan.org
X-Spam-Check-BY: 16.mx.develooper.com
Date: Thu, 20 Aug 2009 15:33:19 -0400
X-Spam-Level: *
X-MS-Has-Attach:
Thread-Topic: Bug in Taint mode?
X-Mimeole: Produced By Microsoft Exchange V6.5
To: <bug-Archive-Zip [...] rt.cpan.org>
From: "Gerald Sta. Ana" <gstaana [...] oneil.com>
Content-Length: 0
content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: us-ascii
Content-Length: 2471
Download (untitled) / with headers
text/plain 2.4k
Hi, I am running Perl 5.8.8 with Archive::Zip v1.26 on Windows XP and am having problems when taint mode is turned on. It seems to stem from the call that Archive.pm makes in the addTree() function to File::Find::find. The error is: Insecure dependency in chdir while running with -T switch at C:/perl/lib/File/Find.pm line 769. (I am using File::Find v1.10.) I've run through the code and it looks like File::Find needs certain parameters passed into it via the "wanted" parameter so that it would do untainting properly whenever it does the chdir command. Unfortunately, it seems that Archive::Zip doesn't use those parameters and therefore that error occurs. (I've checked the latest versions of Archive::Zip with File::Find but they seem to have the same code/problem.) Here's the fix that I added in the addTree() function: Original: (approximately line 592) File::Find::find( $wanted, $root ); To: my $wantedhash = { wanted => $wanted, untaint => '1', untaint_pattern => '^([\s\S]*)$' }; File::Find::find( $wantedhash, $root ); This seems to remove the taint problem although this isn't really a good taint pattern (it passes whatever string/filename is used but I guess that should also work with Unicode characters in filenames). Note: This line also seems to work although it may have side-effects that I may not know about. my $wantedhash = { wanted => $wanted, no_chdir => '1' }; Hope this helps out. It would be great if this code was added (or some better way to code it) in a future release. Sincerely, J. Gerald Sta. Ana Senior Application Developer O'NEIL & ASSOCIATES, INC. <http://oneil.com/> 495 Byers Rd. Miamisburg, Ohio 45342-3662 Phone: (937) 865-0846 ext. 3038 Fax: (937) 865-5858 E-mail: gstaana@oneil.com <mailto:gstaana@oneil.com> REVOLUTIONIZING DOCUMENTATION >>> POWERING PRODUCT SUPPORT ********************************************************************** Confidentiality Notice The information contained in this e-mail is confidential and intended for use only by the person(s) or organization listed in the address. If you have received this communication in error, please contact the sender at O'Neil & Associates, Inc., immediately. Any copying, dissemination, or distribution of this communication, other than by the intended recipient, is strictly prohibited. **********************************************************************
content-type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: us-ascii
Content-Length: 10715
Download (untitled) / with headers
text/html 10.4k


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.