Skip Menu |
 

This queue is for tickets about the Proc-ProcessTable CPAN distribution.

Report information
The Basics
Id: 65594
Status: resolved
Priority: 0/
Queue: Proc-ProcessTable

People
Owner: Nobody in particular
Requestors: olivier [...] diserens.ch
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: $pid is tainted in kill (Insecure dependency in kill)
Date: Wed, 9 Feb 2011 17:33:44 +0100
To: bug-Proc-ProcessTable [...] rt.cpan.org
From: Olivier Diserens <olivier [...] diserens.ch>
Download (untitled) / with headers
text/plain 1.2k
Hello, it seems that when calling the kill() function, the $self->pid variable can, under certain circumstances, be tainted and thus cannot be called in the kill wrapper. Throwing this error: Insecure dependency in kill while running with -T switch at /usr/local/lib/perl/5.10.1/Proc/ProcessTable/Process.pm line 47, <PIDFILE> line 1. The original code: ######################################################## # Kill; just a wrapper for perl's kill at the moment ######################################################## sub kill { my ($self, $signal) = @_; return( kill($signal, $self->pid) ); } which I quickly fixed like that (untainting the $pid variable): ######################################################## # Kill; just a wrapper for perl's kill at the moment ######################################################## sub kill { my ($self, $signal) = @_; my $pid = -1; if ( $self->pid =~ m/(\d+)/ ) { $pid = $1; } return( kill($signal, $pid) ); } The script that is throwing that is a multi-threaded (using threads(), not fork) daemon that changes it's uid/gid to drop privileges. I tried to reproduce the problem in a simpler script but couldn't manage to, so I'm not really sure what happen here. Best regards Olivier
Download (untitled) / with headers
text/plain 381b
Hi Oliver, thanks for the report. Unfortunately I'm preparing a complete rewrite based of my work on libstatgrab and this might take a while until it's finished. Sorry that it wont be fixed soon - but there are to many open issues which would be solvable quickly on their own but each solution will break others. So I decided not to hot- fix and do it well. Best regards, Jens
Download (untitled) / with headers
text/plain 161b
Added a check in the kill function, the pid should be a positive or negative number. I added the change to the github repo, it will be part of the next release.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.