Skip Menu |
 

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id: 6639
Status: resolved
Priority: 0/
Queue: Archive-Zip

People
Owner: nedkonz [...] cpan.org
Requestors: kai.iskratsch [...] awd.at
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)



MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
Subject: Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/site_perl/5.6.1/Archive/Zip.pm line 1089.
Content-Type: multipart/mixed; boundary="----------=_1087390131-8868-0"
Content-Length: 0
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: iso-8859-1
Content-Length: 568
Download (untitled) / with headers
text/plain 568b
if perl is running in -T mode you will get the error Message: Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/site_perl/5.6.1/Archive/Zip.pm line 1089. when using addTree or a simillar one when using modifyTree. thats because chdir checks for tainted Data and the return of cwd() is marked tainted. If you untaint this data the next problem is File::Find which will get you a simillar Error unless you use the untaint option from it. I added a small patch that gets Archive Zip runing in Taint mode (only tested with 5.6.1 and 5.8.0).
Content-Type: application/octet-stream; name="archive_zip1_10.patch"
Content-Disposition: inline; filename="archive_zip1_10.patch"
Content-Transfer-Encoding: base64
Content-Length: 655
diff B C:\Dokumente und Einstellungen\5096\Desktop\Archive.pm C:\Dokumente und Einstellungen\5096\Desktop\Archive_Zip.pm 1082c1082,1083 < my $startDir = cwd(); --- > my $startDir = &untaintDir(cwd()); > 1094c1095 < File::Find::find( $wanted, $root ); --- > File::Find::find( {wanted=>$wanted,untaint=>1}, $root ); 1251c1252 < my $startDir = cwd(); --- > my $startDir = &untaintDir(cwd()); 1264c1265 < File::Find::find( $wanted, $root ); --- > File::Find::find( {wanted=>$wanted,untaint=>1}, $root ); 1298a1300,1307 > } > > sub untaintDir > { > my $dir=shift; > $dir=~/([\.\/\w\-])/; > $dir=$1; > return $dir;
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: kai.iskratsch [...] awd.at
Content-Type: multipart/mixed; boundary="----------=_1087392234-8860-0"
Content-Length: 0
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: iso-8859-1
Content-Length: 61
sorry i appended the wrong patch file. this is the right one.
Content-Type: application/octet-stream; name="archive_zip1_10.patch"
Content-Disposition: inline; filename="archive_zip1_10.patch"
Content-Transfer-Encoding: base64
Content-Length: 662
diff B C:\Dokumente und Einstellungen\5096\Desktop\Archive.pm C:\Dokumente und Einstellungen\5096\Desktop\Archive_Zip.pm 1082c1082,1083 < my $startDir = cwd(); --- > my $startDir = &untaintDir(cwd()); > 1094c1095 < File::Find::find( $wanted, $root ); --- > File::Find::find( {wanted=>$wanted,untaint=>1}, $root ); 1251c1252 < my $startDir = cwd(); --- > my $startDir = &untaintDir(cwd()); 1264c1265 < File::Find::find( $wanted, $root ); --- > File::Find::find( {wanted=>$wanted,untaint=>1}, $root ); 1298a1300,1307 > } > > sub untaintDir > { > my $dir=shift; > $dir=~/^([\-\+\@\w\.\/]+)$/; > $dir=$1; > return $dir;
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
X-RT-Original-Encoding: iso-8859-1
Content-Length: 670
Download (untitled) / with headers
text/plain 670b
[guest - Wed Jun 16 08:48:52 2004]: Show quoted text
> if perl is running in -T mode you will get the error Message: > Insecure dependency in chdir while running with -T switch at > /usr/lib/perl5/site_perl/5.6.1/Archive/Zip.pm line 1089. > > when using addTree or a simillar one when using modifyTree. thats > because chdir checks for tainted Data and the return of cwd() is > marked tainted. > If you untaint this data the next problem is File::Find which will get > you a simillar Error unless you use the untaint option from it.
The return value from cwd() is supposed to be taint-safe, or at least it says so in the Cwd pod. Have you tried this using Cwd v 2.18 yet?
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
X-RT-Original-Encoding: iso-8859-1
Content-Length: 233
Download (untitled) / with headers
text/plain 233b
[guest - Wed Jun 16 09:23:54 2004]: Show quoted text
> sorry i appended the wrong patch file. this is the right one.
Will this work right with: * Mac OS? * Windows * Older versions of Perl and File::Find (back to 5.003_96, like A::Z)? Thanks, Ned
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
X-RT-Original-Encoding: iso-8859-1
Content-Length: 959
Download (untitled) / with headers
text/plain 959b
Show quoted text
> Will this work right with: > * Mac OS? > * Windows
I have no MacOS System, so i have no chance to test it on a Mac. But the only things to check would be if the regular expression for the untaint checks fits for all possible MacOS Filenames. For Windows you propably will have to add a \ to the allowed chars in the filename Regular expression. I will check that later when, i have a Windows Computer with Perl running on it somewhere near. If you have to change this pattern you might have to set untaint_pattern in the file-find options to the same pattern. I'm using now the default pattern from it for my checks too. Show quoted text
> * Older versions of Perl and File::Find (back to 5.003_96, like A::Z)? >
seems like 5.003 perl doesnt have the untaint option in File::Find its in it since 5.6.0, so you will have to do a version check before you call File::Find and call it with different options if you want to keep it compatible to versions below 5.6. kai


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.