Skip Menu |

This queue is for tickets about the Authen-Captcha CPAN distribution.

Report information
The Basics
Id: 7223
Status: resolved
Priority: 0/
Queue: Authen-Captcha
People
Owner: Nobody in particular
Requestors: william [...] knowmad.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: 1.023_001

History Show all quoted text
  Mon Aug 02 16:25:19 2004 Guest - Ticket created
Subject: Taint mode not supported
Hi Josh, Thanks for maintaining the Authen::Captcha module. It's made my life much easier when my client requested support for captcha images. I am using taint in my mod_perl applications and had some trouble with your Captcha.pm module. I've attached a patch which works for me. Hope you can find time to include support for taintmode. Thanks, William
--- /tmp/Authen-Captcha-1.023/Captcha.pm Wed Dec 17 23:44:34 2003 +++ Captcha.pm Mon Aug 2 15:33:36 2004 @@ -233,7 +233,14 @@ { $line =~ s/\n//; my ($data_time,$data_code) = split(/::/,$line); - + + if ($data_code =~ /^([a-fA-F_0-9]{32})$/) { + $data_code = $1; + } + else { + die "Failed to match when attempting to untaint."; + } + my $png_file = File::Spec->catfile($self->output_folder(),$data_code . ".png"); if ($data_code eq $crypt) { @@ -355,6 +362,12 @@ if ( (($current_time - $data_time) > ($self->expire())) || ($data_code eq $md5) ) { # remove expired captcha, or a dup + if ($data_code =~ /^([a-fA-F_0-9]{32})$/) { + $data_code = $1; + } + else { + die "Failed to match when attempting to untaint."; + } my $png_file = File::Spec->catfile($self->output_folder(),$data_code . ".png"); unlink($png_file) or carp("Can't remove png file [$png_file]\n"); } else {
  Wed Jun 11 07:27:05 2008 http://vholer.blogspot.com/ - Correspondence added
From: vlastimil.holer [...] gooddata.com
It causes our problems as well. It would be nice to have this simple Debian patch included. Or can I take over the package maintenance somehow? Vlastimil Holer
--- ./Captcha.pm 2008-06-11 12:53:18.000000000 +0200 +++ /usr/share/perl5/Authen/Captcha.pm 2007-11-30 16:19:15.000000000 +0100 @@ -232,7 +232,11 @@ foreach my $line (@data) { $line =~ s/\n//; - my ($data_time,$data_code) = split(/::/,$line); + # Fixes Debian Bug #409731 + # Extract untainted time and code + # Patch provided by Chris Dunlop <chris@onthe.net.au> + # applied by Ernesto Hernández-Novich <emhn@usb.ve> + my ($data_time,$data_code) = $line =~ m/(^\d+)::([[:xdigit:]]{32})$/; my $png_file = File::Spec->catfile($self->output_folder(),$data_code . ".png"); if ($data_code eq $crypt) @@ -351,7 +355,12 @@ foreach my $line (@data) { $line =~ s/\n//; - my ($data_time,$data_code) = split(/::/,$line); + # Fixes Debian Bug #409731 + # Extract untainted time and code + # Patch provided by Chris Dunlop <chris@onthe.net.au> + # applied by Ernesto Hernández-Novich <emhn@usb.ve> + my ($data_time,$data_code) = $line =~ m/(^\d+)::([[:xdigit:]]{32})$/; + if ( (($current_time - $data_time) > ($self->expire())) || ($data_code eq $md5) ) { # remove expired captcha, or a dup
  Wed Jun 11 07:27:09 2008 The RT System itself - Status changed from 'new' to 'open'
  Wed Mar 12 11:29:13 2014 lubo.rintel [...] gooddata.com - Correspondence added
RT-Send-CC: vlastimil.holer [...] gooddata.com
Hi! Thanks for your contribution. We've just uploaded 1.024 that includes your fix to CPAN and it will hit mirrors in a couple of hours. Have a nice day! Lubo
  Wed Mar 12 11:29:16 2014 lubo.rintel [...] gooddata.com - Status changed from 'open' to 'resolved'
  Wed Mar 12 11:29:16 2014 lubo.rintel [...] gooddata.com - Fixed in 1.023_001 added