Bug #66299 for CGI-Session: doesn't work in tainted mode 5.10.1

RT for rt.cpan.org

This queue is for tickets about the CGI-Session CPAN distribution.

Report information

The Basics

Id:	66299
Status:	new
Priority:	0/
Queue:	CGI-Session

People

Owner:	Nobody in particular
Requestors:	zdenek.styblik [...] gmail.com
Cc:
AdminCc:

Bug Information

Severity:	Normal
Broken in:	4.43
Fixed in:	(no value)

History Show all quoted text

Tue Mar 01 14:56:21 2011 zdenek.styblik [...] gmail.com - Ticket created

Subject:

doesn't work in tainted mode 5.10.1

Hello, I've actually found two problems: ~~~ SNIP ~~~ Error executing class callback in prerun stage: Insecure dependency in mkdir while running with -T switch at /usr/lib64/perl5/5.10.1/File/Path.pm line 108. ~~~ SNIP ~~~ when session directory doesn't exist. And: ~~~ SNIP ~~~ Error executing class callback in prerun stage: Insecure dependency in sysopen while running with -T switch at /usr/lib64/perl5/site_perl/5.10.1/CGI/Session/Driver/db_file.pm line 98. ~~~ SNIP ~~~ when session directory exists. All rub lies withing '$lock_file' variable at line 93. I haven't figured out how to fix it yet, because...well, I just didn't. I know there is not much you can do about File::Path, but how about '$lock_file'? Please? Also, if I luckily found out solution, I'll post back. Thanks!

Tue Mar 01 15:09:21 2011 zdenek.styblik [...] gmail.com - Correspondence added

From:

zdenek.styblik [...] gmail.com

On Tue Mar 01 14:56:21 2011, stybla wrote: [...] Show quoted text

> Also, if I luckily found out solution, I'll post back.

I don't know any other way how to untaint variable. Yes, I do agree this is *really* stupid way. Please, take it as a proposal or whatever. Z.

Subject:

db_file.pm.patch

--- /usr/lib64/perl5/site_perl/5.10.1/CGI/Session/Driver/db_file.pm 2011-03-01 21:06:44.559502474 +0100 +++ Foo.pm 2011-03-01 21:07:17.440951031 +0100 @@ -90,7 +90,13 @@ croak "_lock(): usage error" unless $db_file; $lock_type ||= LOCK_SH; - my $lock_file = $db_file . '.lck'; + my $lock_file = sprintf("%s.lck", $db_file); + if ($lock_file =~ /^(.*)$/) { + $lock_file = $1; + } else { + die $self->set_error("_lock(): '$lock_file' appears to be untaintable."); + } + if ( -l $lock_file ) { unlink($lock_file) or die $self->set_error("_lock(): '$lock_file' appears to be a symlink and I can't remove it: $!");