Bug #106559 for Net-SFTP-Foreign: setcwd fails in taint mode

> Firstly, thank you for the Net::SFTP:Foreign module. I use it for a > communications subsystem transferring files between various third > parties using a mixture of protocols and encryption, and have found it > very useful alongside Net::FTP and LWP. On porting this system to a > new server, I encountered a new problem. I realise something similar > has been reported before with an incorrect example, but I'm reasonably > experienced with taint mode and I'm pretty sure there is a bug: > > If I pass a guaranteed untainted variable (a literal value of "/" in > this test case) to the setcwd method, it fails with a taint error. > > $remote->setcwd("/"); > > The environment where this issue occurs is: > > debian Jessie 8.1 > perl 5.20.2 > Net::SFTP::Foreign 1.77 (standard Jessie package libnet-sftp-foreign- > perl) > > My old environment does NOT exhibit the problem with the same test > script: > > debian squeeze 6.0.4 > perl 5.10.1 > Net::SFTP::Foreign 1.57 (standard squeeze package libnet-sftp- > foreign-perl) > > I attach a test case. To show the error. > > perl setcwd_test.prl > [ unsorted list of files/directories ] > > perl -T setcwd_test.prl > Insecure argument '/' on 'stat' method call while running with -T > switch at setcwd_test.prl line 13. > > Regards, > > Julian Bridle > > This e-mail has been sent by a company that is a member of the MRH > (GB) Limited group of companies. MRH (GB) Limited is a company > registered in England and Wales with the registration number 6360543. > The Registered Office is Vincent House, 4 Grove Lane, Epping, Essex, > CM16 4LH. Tel: +44 (0)1992 571937, Fax: +44 (0)1992 571950. The VAT > Registration Number is: 718 6378 04. Different VAT numbers are in use > by some of the other companies within the MRH (GB) Limited group. > Confidentiality: This e-mail and its attachments are confidential, may > be legally privileged and are intended solely for the above named > addressee(s). However, in certain circumstances the contents of this > e-mail may have to be disclosed in response to a request pursuant to > the Data Protection Act. If you have received this e-mail in error you > must take no action based on it or its attachments, nor must you copy > or show them to anyone. You must notify the sender immediately and > then delete the e-mail and any attachments. Security: Please note that > this e-mail has been created in the knowledge that Internet e-mail is > not a 100% secure communications medium. E-mails are susceptible to > interference. If you are in any doubt about the origins of this e-mail > or whether its original content has been accurately reproduced, please > verify its authenticity with the sender. We advise that you understand > and observe this lack of security when e-mailing us. Viruses: Although > reasonable steps have been taken to ensure that this e-mail and its > attachments are free from any virus, we advise that in keeping with > good computing practice the recipient should ensure that they are > actually virus free.

----- Original Message ----- That is a tricky matter as the data coming from the SFTP connection should be left marked as tainted. For now, it is just untainting the realpath coming from the remote host explicitly inside setcwd. A new developing version of the module with that fix is available: https://metacpan.org/release/SALVA/Net-SFTP-Foreign-1.78_07 Anyway, other high level methods would probably have similar issues. Don't hesitate to report them if you find any. Thank you!

-----Original Message----- From: Salvador \"Fandiño\" via RT [mailto:bug-Net-SFTP-Foreign@rt.cpan.org] Sent: 06 October 2015 13:34 To: Julian Bridle Subject: Re: [rt.cpan.org #106559] setcwd fails in taint mode <URL: https://rt.cpan.org/Ticket/Display.html?id=106559 >