Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Mail-Audit CPAN distribution.

Report information
The Basics
Id: 1989
Status: resolved
Priority: 0/
Queue: Mail-Audit

People
Owner: Nobody in particular
Requestors: Philip.Newton [...] gmx.net
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)



Subject: Error in global destruction when run with taint checks
I'm running Mail::Audit 2.1 with perl 5.6.1. It was installed by my web hosting company. I'm also using Mail::SpamAssassin 2.43, but I think the bug doesn't lie there. When I send mail to my test script, it does what I want, but I also get a bounce from the mailer-daemon due to this error message the script produces: (in cleanup) Insecure dependency in unlink while running setuid at /usr/lib/perl5/5.6.1/File/Path.pm line 233 during global destruction. That line is in rmtree(), which is presumably called from Mail::Audit::MimeEntity's sub DESTROY, which calls "rmtree(\@to_rmdir, 0, 1)". I'm not sure what's in @to_rmdir (it's populated with $parser->filer->output_dir, apparently) but it's presumably based on non-untainted user input or something. Could this be turned off by untainting whatever it is that fills @to_rmdir? (Oh, and the directory is apparently not deleted.) I'm running setuid (so I can write log info to my private directory even though the script is called as user 'mail') and have the script running with -T, and I don't want filtered mail to produce such an error message output (even though it'll get correctly delivered, hopefully) to people who send me mail.
[PNE - Sun Jan 26 10:31:14 2003]: Show quoted text
> (in cleanup) Insecure dependency in unlink while
running setuid at Show quoted text
> /usr/lib/perl5/5.6.1/File/Path.pm line 233 during global >
destruction. This error apparently does not occur when I pass "nomime => 1" to the Mail::Audit constructor (which I saw mentioned in the SpamAssassin docs in a different context), which strengthens my belief that it's Mail::Audit::MimeEntity's "fault".
Date: Sun, 26 Jan 2003 15:47:21 -0500
From: Meng Weng Wong <mengwong [...] dumbo.pobox.com>
To: Philip Newton via RT <bug-Mail-Audit [...] rt.cpan.org>
Subject: Re: [cpan #1989] Error in global destruction when run with taint checks
RT-Send-Cc:
quite right, i have a new mime handling architecture in the works that will solve this. alternatively try getting the CVS version which may have fixed this already. cvs -d:pserver:cvs@cvs.simon-cozens.org:/var/cvs/modules co . On Sun, Jan 26, 2003 at 02:50:29PM -0500, Philip Newton via RT wrote: | | This message about Mail-Audit was sent to you by PNE <pne@cpan.org> via rt.cpan.org | | Full context and any attached attachments can be found at: | <URL: https://rt.cpan.org/Ticket/Display.html?id=1989 > | | [PNE - Sun Jan 26 10:31:14 2003]: | | > (in cleanup) Insecure dependency in unlink while | running setuid at | > /usr/lib/perl5/5.6.1/File/Path.pm line 233 during global | > | destruction. | | This error apparently does not occur when I pass "nomime => 1" to the | Mail::Audit constructor (which I saw mentioned in the SpamAssassin docs in a different | context), which strengthens my belief that it's Mail::Audit::MimeEntity's "fault". |
Ugh. File::Temp makes all that code obsolete. Fixed. -- rjbs