Skip Menu |

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id: 6639
Status: resolved
Priority: 0/
Queue: Archive-Zip
People
Owner: nedkonz [...] cpan.org
Requestors: kai.iskratsch [...] awd.at
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Jun 16 08:48:52 2004 Guest - Ticket created
Subject: Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/site_perl/5.6.1/Archive/Zip.pm line 1089.
if perl is running in -T mode you will get the error Message: Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/site_perl/5.6.1/Archive/Zip.pm line 1089. when using addTree or a simillar one when using modifyTree. thats because chdir checks for tainted Data and the return of cwd() is marked tainted. If you untaint this data the next problem is File::Find which will get you a simillar Error unless you use the untaint option from it. I added a small patch that gets Archive Zip runing in Taint mode (only tested with 5.6.1 and 5.8.0).
diff B C:\Dokumente und Einstellungen\5096\Desktop\Archive.pm C:\Dokumente und Einstellungen\5096\Desktop\Archive_Zip.pm 1082c1082,1083 < my $startDir = cwd(); --- > my $startDir = &untaintDir(cwd()); > 1094c1095 < File::Find::find( $wanted, $root ); --- > File::Find::find( {wanted=>$wanted,untaint=>1}, $root ); 1251c1252 < my $startDir = cwd(); --- > my $startDir = &untaintDir(cwd()); 1264c1265 < File::Find::find( $wanted, $root ); --- > File::Find::find( {wanted=>$wanted,untaint=>1}, $root ); 1298a1300,1307 > } > > sub untaintDir > { > my $dir=shift; > $dir=~/([\.\/\w\-])/; > $dir=$1; > return $dir;
  Wed Jun 16 09:23:54 2004 Guest - Correspondence added
From: kai.iskratsch [...] awd.at
sorry i appended the wrong patch file. this is the right one.
diff B C:\Dokumente und Einstellungen\5096\Desktop\Archive.pm C:\Dokumente und Einstellungen\5096\Desktop\Archive_Zip.pm 1082c1082,1083 < my $startDir = cwd(); --- > my $startDir = &untaintDir(cwd()); > 1094c1095 < File::Find::find( $wanted, $root ); --- > File::Find::find( {wanted=>$wanted,untaint=>1}, $root ); 1251c1252 < my $startDir = cwd(); --- > my $startDir = &untaintDir(cwd()); 1264c1265 < File::Find::find( $wanted, $root ); --- > File::Find::find( {wanted=>$wanted,untaint=>1}, $root ); 1298a1300,1307 > } > > sub untaintDir > { > my $dir=shift; > $dir=~/^([\-\+\@\w\.\/]+)$/; > $dir=$1; > return $dir;
  Thu Jul 08 13:54:09 2004 nedkonz [...] cpan.org - Correspondence added
[guest - Wed Jun 16 08:48:52 2004]: Show quoted text
> if perl is running in -T mode you will get the error Message: > Insecure dependency in chdir while running with -T switch at > /usr/lib/perl5/site_perl/5.6.1/Archive/Zip.pm line 1089. > > when using addTree or a simillar one when using modifyTree. thats > because chdir checks for tainted Data and the return of cwd() is > marked tainted. > If you untaint this data the next problem is File::Find which will get > you a simillar Error unless you use the untaint option from it.
The return value from cwd() is supposed to be taint-safe, or at least it says so in the Cwd pod. Have you tried this using Cwd v 2.18 yet?
  Fri Jul 09 14:28:21 2004 Guest - Correspondence added
[guest - Wed Jun 16 09:23:54 2004]: Show quoted text
> sorry i appended the wrong patch file. this is the right one.
Will this work right with: * Mac OS? * Windows * Older versions of Perl and File::Find (back to 5.003_96, like A::Z)? Thanks, Ned
  Mon Jul 12 04:10:23 2004 Guest - Correspondence added
Show quoted text
> Will this work right with: > * Mac OS? > * Windows
I have no MacOS System, so i have no chance to test it on a Mac. But the only things to check would be if the regular expression for the untaint checks fits for all possible MacOS Filenames. For Windows you propably will have to add a \ to the allowed chars in the filename Regular expression. I will check that later when, i have a Windows Computer with Perl running on it somewhere near. If you have to change this pattern you might have to set untaint_pattern in the file-find options to the same pattern. I'm using now the default pattern from it for my checks too. Show quoted text
> * Older versions of Perl and File::Find (back to 5.003_96, like A::Z)? >
seems like 5.003 perl doesnt have the untaint option in File::Find its in it since 5.6.0, so you will have to do a version check before you call File::Find and call it with different options if you want to keep it compatible to versions below 5.6. kai
  Thu Jul 29 11:25:53 2004 nedkonz [...] cpan.org - Given to NEDKONZ
  Thu Jul 29 11:25:53 2004 nedkonz [...] cpan.org - Status changed from 'new' to 'resolved'