perl-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Wiles <fr...@wiles.org>
Subject Re: [Fwd: [rt.cpan.org #18584] Apache::DProf not taint safe]
Date Mon, 17 Apr 2006 16:13:56 GMT

  FYI I just uploaded Apache::DB v0.13 to CPAN which fixes this taint
  issue. 

 ---------------------------------
   Frank Wiles <frank@wiles.org>
   http://www.wiles.org
 ---------------------------------


On Fri, 07 Apr 2006 07:43:07 -0400
Geoffrey Young <geoff@modperlcookbook.org> wrote:

> 
> 
> -------- Original Message --------
> Subject: [rt.cpan.org #18584] Apache::DProf not taint safe
> Date: Fri,  7 Apr 2006 06:14:01 -0400 (EDT)
> From:  via RT <bug-Apache-DB@rt.cpan.org>
> Reply-To: bug-Apache-DB@rt.cpan.org
> To: undisclosed-recipients:;
> References: <RT-Ticket-18584@rt.cpan.org>
> 
> 
> Fri Apr 07 06:14:00 2006: Request 18584 was acted upon.
> Transaction: Ticket created by DOMQ
>        Queue: Apache-DB
>      Subject: Apache::DProf not taint safe
>        Owner: Nobody
>   Requestors: DOMQ@cpan.org
>       Status: new
>  Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=18584 >
> 
> 
> Apache::DProf::handler() calls File::Path::mkpath() on a tainted
> parameter, which throws an exception when PerlTaintCheck is On.
> 
> The problem is due to Apache->server_root_relative() returning tainted
> results under MP1, and although I didn't test that, I highly suspect
> all other methods of computing $prof pick up some taint too (from the
> environment I'm pretty sure, and from the MP2 API probably too).
> 
> Attached patch fixes that by applying an adequate regex operation on
> $dir within handler(), and adds a regression test.
> 
> 
> 



 ---------------------------------
   Frank Wiles <frank@wiles.org>
   http://www.wiles.org
 ---------------------------------


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org


Mime
View raw message