|Subject:||setcwd fails in taint mode|
|Date:||Thu, 20 Aug 2015 10:04:26 +0000|
|To:||"'bug-Net-SFTP-Foreign [...] rt.cpan.org'" <bug-Net-SFTP-Foreign [...] rt.cpan.org>|
|From:||Julian Bridle <Julian.Bridle [...] mrhgb.co.uk>|
Firstly, thank you for the Net::SFTP:Foreign module. I use it for a communications subsystem transferring files between various third parties using a mixture of protocols and encryption, and have found it very useful alongside Net::FTP and LWP. On porting this system to a new server, I encountered a new problem. I realise something similar has been reported before with an incorrect example, but I'm reasonably experienced with taint mode and I'm pretty sure there is a bug: If I pass a guaranteed untainted variable (a literal value of "/" in this test case) to the setcwd method, it fails with a taint error. $remote->setcwd("/"); The environment where this issue occurs is: debian Jessie 8.1 perl 5.20.2 Net::SFTP::Foreign 1.77 (standard Jessie package libnet-sftp-foreign-perl) My old environment does NOT exhibit the problem with the same test script: debian squeeze 6.0.4 perl 5.10.1 Net::SFTP::Foreign 1.57 (standard squeeze package libnet-sftp-foreign-perl) I attach a test case. To show the error. perl setcwd_test.prl [ unsorted list of files/directories ] perl -T setcwd_test.prl Insecure argument '/' on 'stat' method call while running with -T switch at setcwd_test.prl line 13. Regards, Julian Bridle This e-mail has been sent by a company that is a member of the MRH (GB) Limited group of companies. MRH (GB) Limited is a company registered in England and Wales with the registration number 6360543. The Registered Office is Vincent House, 4 Grove Lane, Epping, Essex, CM16 4LH. Tel: +44 (0)1992 571937, Fax: +44 (0)1992 571950. The VAT Registration Number is: 718 6378 04. Different VAT numbers are in use by some of the other companies within the MRH (GB) Limited group. Confidentiality: This e-mail and its attachments are confidential, may be legally privileged and are intended solely for the above named addressee(s). However, in certain circumstances the contents of this e-mail may have to be disclosed in response to a request pursuant to the Data Protection Act. If you have received this e-mail in error you must take no action based on it or its attachments, nor must you copy or show them to anyone. You must notify the sender immediately and then delete the e-mail and any attachments. Security: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. E-mails are susceptible to interference. If you are in any doubt about the origins of this e-mail or whether its original content has been accurately reproduced, please verify its authenticity with the sender. We advise that you understand and observe this lack of security when e-mailing us. Viruses: Although reasonable steps have been taken to ensure that this e-mail and its attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure that they are actually virus free.
Message body not shown because it is not plain text.