Item12983: Failure due to taint checking on Fedora 20 (Perl v5.18.2)
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Foswiki newly installed on Fedora 20, which uses Perl v5.18.2
All the scripts have taint checking on (-T)
Foswiki coughs and dies in
Handler.pm
:
Insecure dependency in open while running with -T switch at /PATH/lib/Foswiki/Store/VC/Handler.pm line 985., referer: https://URI/bin/view
at /PATH/lib/Foswiki/Store/VC/Handler.pm line 985., referer: https://URI/bin/view
\tFoswiki::Store::VC::Handler::saveFile('Foswiki::Store::VC::RcsWrapHandler=HASH(0x33eda60)', '/PATH/data/Main/DavidTonhofer.lease', 'expires\\x{a}1406456952\\x{a}user\\x{a}DavidTonhofer\\x{a}taken\\x{a}1406453352
\tFoswiki::Store::VC::Handler::setLease('Foswiki::Store::VC::RcsWrapHandler=HASH(0x33eda60)', 'HASH(0x3e66d78)') called at /PATH/lib/Foswiki/Store/VC/Store.pm line 541, referer: https://gefjun.homelinux.org/wikis/
\tFoswiki::Store::VC::Store::setLease('Foswiki::Store::RcsWrap=HASH(0x2ca7218)', 'Foswiki::Meta=HASH(0x366bc10)', 'HASH(0x3e66d78)') called at /PATH/lib/Foswiki/Meta.pm line 2503, referer: https://gefjun.homelinux
\tFoswiki::Meta::setLease('Foswiki::Meta=HASH(0x366bc10)', 3600) called at /PATH/lib/Foswiki/UI/Edit.pm line 488, referer: https://URI/bin/view
\tFoswiki::UI::Edit::finalize_edit('Foswiki=HASH(0x2b464c0)', 'Foswiki::Meta=HASH(0x366bc10)', '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN...') called at /PATH/lib/Foswiki/UI/Edit.pm line 35, re
\tFoswiki::UI::Edit::edit('Foswiki=HASH(0x2b464c0)') called at /PATH/lib/Foswiki/UI.pm line 316, referer: https://URI/bin/view
\tFoswiki::UI::__ANON__() called at /usr/share/perl5/vendor_perl/Error.pm line 419, referer: https://URI/bin/view
\teval {...} called at /usr/share/perl5/vendor_perl/Error.pm line 411, referer: https://URI/bin/view
\tError::subs::try('CODE(0x1f1b308)', 'HASH(0x2b460a0)') called at /PATH/lib/Foswiki/UI.pm line 435, referer: https://URI/bin/view
\tFoswiki::UI::_execute('Foswiki::Request=HASH(0x2b6ae48)', 'CODE(0x1f65c80)', 'edit', 1) called at /PATH/lib/Foswiki/UI.pm line 274, referer: https://URI/bin/view
\tFoswiki::UI::handleRequest('Foswiki::Request=HASH(0x2b6ae48)') called at /PATH/lib/Foswiki/Engine/CGI.pm line 74, referer: https://URI/bin/view
\tFoswiki::Engine::CGI::run('Foswiki::Engine::CGI=HASH(0x23974b0)') called at /PATH/bin/edit line 24., referer: https://URI/bin/view
Removing the taint flag in all the bin scripts fixes the problem:
my $bin=/PATH/bin
opendir (my $dh, $bin) or die "Could not open directory '$bin': $!";
my @entries = readdir($dh);
closedir($dh);
for my $entry (@entries) {
next if $entry eq '.' || $entry eq '..';
print "Changing '$entry'\n";
my $file = "$bin/$entry";
system("sed", '--in-place', '1!b;s/^#! \/usr\/bin\/perl -wT/#! \/usr\/bin\/perl -w/', $file);
if ($? != 0) {
print STDERR "Error changing file '$file' -- exiting\n";
exit 1
}
}
--
DavidTonhofer - 05 Aug 2014
Foswiki 1.2 will ship with -T Taint checking disabled, so we can no-action this task.
--
Main.GeorgeClark - 22 Dec 2014 - 00:43