Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id:
48891
Status:
new
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
gstaana [...] oneil.com
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: Bug in Taint mode?
Date: Thu, 20 Aug 2009 15:33:19 -0400
To: <bug-Archive-Zip@rt.cpan.org>
From: "Gerald Sta. Ana" <gstaana@oneil.com>

Hi,

 

I am running Perl 5.8.8 with Archive::Zip v1.26 on Windows XP and am having problems when taint mode is turned on.

 

It seems to stem from the call that Archive.pm makes in the addTree() function to File::Find::find. The error is:

 

Insecure dependency in chdir while running with -T switch at C:/perl/lib/File/Find.pm line 769.

(I am using File::Find v1.10.)

 

I’ve run through the code and it looks like File::Find needs certain parameters passed into it via the “wanted” parameter so that it would do untainting properly whenever it does the chdir command. 

 

Unfortunately, it seems that Archive::Zip doesn’t use those parameters and therefore that error occurs.

(I’ve checked the latest versions of Archive::Zip with File::Find but they seem to have the same code/problem.)

 

Here’s the fix that I added in the addTree() function:

 

Original: (approximately line 592)

    File::Find::find( $wanted, $root );

 

To:

    my $wantedhash = { wanted => $wanted, untaint => '1', untaint_pattern => '^([\s\S]*)$' };

    File::Find::find( $wantedhash, $root );

 

This seems to remove the taint problem although this isn’t really a good taint pattern (it passes whatever string/filename is used but I guess that should also work with Unicode characters in filenames).

 

Note:

 

   This line also seems to work although it may have side-effects that I may not know about.

   my $wantedhash = { wanted => $wanted, no_chdir => '1' };

 

 

Hope this helps out.  It would be great if this code was added (or some better way to code it) in a future release.

 

Sincerely,

J. Gerald Sta. Ana

Senior Application Developer

 

Miamisburg, Ohio 45342-3662

Phone: (937) 865-0846 ext. 3038

Fax: (937) 865-5858

E-mail: gstaana@oneil.com  

 

REVOLUTIONIZING DOCUMENTATION >>> POWERING PRODUCT SUPPORT

**********************************************************************
Confidentiality Notice
The information contained in this e-mail is confidential and intended for use only by the person(s) or organization listed in the address. If you have received this communication in error, please contact the sender at O'Neil & Associates, Inc., immediately. Any copying, dissemination, or distribution of this communication, other than by the intended recipient, is strictly prohibited.
**********************************************************************


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.