Skip Menu |

This queue is for tickets about the Proc-PID-File CPAN distribution.

Report information
The Basics
Id: 6347
Status: open
Priority: 0/
Queue: Proc-PID-File
People
Owner: Nobody in particular
Requestors: aculver
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: 1.26

History Show all quoted text
  Tue May 18 11:27:24 2004 Guest - Ticket created
Subject: Taint checking $0
Proc-PID-File-1.24 Perl 5.8.0 Linux slogr 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 i386 GNU/Linux Insecure dependency in sysopen while running with -T switch at /usr/lib/perl5/site_perl/5.8.0/Proc/PID/File.pm line 97. With -T on, $0 on line 45 is considered tainted. I've checked it with a ($ME) = $ME =~ /^(.*)$/; but I'll leave it up to you to decide a better re to use. diff -u File.pm.original File.pm --- File.pm.original 2004-05-18 11:14:56.000000000 -0400 +++ File.pm 2004-05-18 11:14:33.000000000 -0400 @@ -42,7 +42,7 @@ $RPM_Requires = "procps"; my $RUNDIR = "/var/run"; -my $ME = $0; $ME =~ s|.*/||; +my $ME = $0; ($ME) = $ME =~ /^(.*)$/; $ME =~ s|.*/||; # used to keep non-expiring objects # for simple and procedural interfaces
  Mon Sep 28 16:34:26 2009 jdhedden [...] cpan.org - Correspondence added
Subject: [PATCH] Taint checking $0
On Tue May 18 11:27:24 2004, guest wrote: Show quoted text
> Proc-PID-File-1.24 > Perl 5.8.0 > Linux slogr 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 > i386 GNU/Linux > > Insecure dependency in sysopen while running with -T switch at > /usr/lib/perl5/site_perl/5.8.0/Proc/PID/File.pm line 97. > > With -T on, $0 on line 45 is considered tainted. I've checked it with > a ($ME) = $ME =~ /^(.*)$/; but I'll leave it up to you to decide a > better re to use.
The attached patch fixes this problem.
diff -urN Proc-PID-File-1.25.orig/File.pm Proc-PID-File-1.25/File.pm --- Proc-PID-File-1.25.orig/File.pm 2009-09-26 21:50:51.000000000 -0400 +++ Proc-PID-File-1.25/File.pm 2009-09-28 16:28:31.628532800 -0400 @@ -42,7 +42,8 @@ $RPM_Requires = "procps"; my $RUNDIR = "/var/run"; -my $ME = $0; $ME =~ s|.*/||; +$0 =~ m|([^/]+)$|; +my $ME = $1; # used to keep non-expiring objects # for simple and procedural interfaces
  Mon Sep 28 16:34:27 2009 The RT System itself - Status changed from 'new' to 'open'
  Wed Sep 30 16:48:52 2009 e [...] arix.com - Correspondence added
CC: Mike Canzoneri <mikecanzoneri [...] gmail.com>
Subject: Re: [rt.cpan.org #6347] [PATCH] Taint checking $0
Date: Wed, 30 Sep 2009 13:53:04 -0700
To: bug-Proc-PID-File [...] rt.cpan.org
From: Erick Calder <e [...] arix.com>
patch applied at revision 2467 (to be included in the upcoming 1.26 release) Mike: I don't know if you subscribe to the above list. it would make sense for you to :) - e On Sep 28, 2009, at 1:34 PM, Jerry D. Hedden via RT wrote: Show quoted text
> Queue: Proc-PID-File > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=6347 > > > On Tue May 18 11:27:24 2004, guest wrote:
>> Proc-PID-File-1.24 >> Perl 5.8.0 >> Linux slogr 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 >> i386 GNU/Linux >> >> Insecure dependency in sysopen while running with -T switch at >> /usr/lib/perl5/site_perl/5.8.0/Proc/PID/File.pm line 97. >> >> With -T on, $0 on line 45 is considered tainted. I've checked it with >> a ($ME) = $ME =~ /^(.*)$/; but I'll leave it up to you to decide a >> better re to use.
> > The attached patch fixes this problem. > diff -urN Proc-PID-File-1.25.orig/File.pm Proc-PID-File-1.25/File.pm > --- Proc-PID-File-1.25.orig/File.pm 2009-09-26 21:50:51.000000000 > -0400 > +++ Proc-PID-File-1.25/File.pm 2009-09-28 16:28:31.628532800 -0400 > @@ -42,7 +42,8 @@ > $RPM_Requires = "procps"; > > my $RUNDIR = "/var/run"; > -my $ME = $0; $ME =~ s|.*/||; > +$0 =~ m|([^/]+)$|; > +my $ME = $1; > > # used to keep non-expiring objects > # for simple and procedural interfaces
  Tue Sep 07 09:56:18 2010 CHORNY [...] cpan.org - Fixed in 1.26 added