Skip Menu |

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id: 48891
Status: new
Priority: 0/
Queue: Archive-Zip
People
Owner: Nobody in particular
Requestors: gstaana [...] oneil.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Aug 20 15:33:52 2009 gstaana [...] oneil.com - Ticket created
Subject: Bug in Taint mode?
Date: Thu, 20 Aug 2009 15:33:19 -0400
To: <bug-Archive-Zip [...] rt.cpan.org>
From: "Gerald Sta. Ana" <gstaana [...] oneil.com>
Hi, I am running Perl 5.8.8 with Archive::Zip v1.26 on Windows XP and am having problems when taint mode is turned on. It seems to stem from the call that Archive.pm makes in the addTree() function to File::Find::find. The error is: Insecure dependency in chdir while running with -T switch at C:/perl/lib/File/Find.pm line 769. (I am using File::Find v1.10.) I've run through the code and it looks like File::Find needs certain parameters passed into it via the "wanted" parameter so that it would do untainting properly whenever it does the chdir command. Unfortunately, it seems that Archive::Zip doesn't use those parameters and therefore that error occurs. (I've checked the latest versions of Archive::Zip with File::Find but they seem to have the same code/problem.) Here's the fix that I added in the addTree() function: Original: (approximately line 592) File::Find::find( $wanted, $root ); To: my $wantedhash = { wanted => $wanted, untaint => '1', untaint_pattern => '^([\s\S]*)$' }; File::Find::find( $wantedhash, $root ); This seems to remove the taint problem although this isn't really a good taint pattern (it passes whatever string/filename is used but I guess that should also work with Unicode characters in filenames). Note: This line also seems to work although it may have side-effects that I may not know about. my $wantedhash = { wanted => $wanted, no_chdir => '1' }; Hope this helps out. It would be great if this code was added (or some better way to code it) in a future release. Sincerely, J. Gerald Sta. Ana Senior Application Developer O'NEIL & ASSOCIATES, INC. <http://oneil.com/> 495 Byers Rd. Miamisburg, Ohio 45342-3662 Phone: (937) 865-0846 ext. 3038 Fax: (937) 865-5858 E-mail: gstaana@oneil.com <mailto:gstaana@oneil.com> REVOLUTIONIZING DOCUMENTATION >>> POWERING PRODUCT SUPPORT ********************************************************************** Confidentiality Notice The information contained in this e-mail is confidential and intended for use only by the person(s) or organization listed in the address. If you have received this communication in error, please contact the sender at O'Neil & Associates, Inc., immediately. Any copying, dissemination, or distribution of this communication, other than by the intended recipient, is strictly prohibited. **********************************************************************