Bug #72719 for Data-ICal: Support running under taint-mode

Mon Jan 31 06:03:10 2011 apm [...] one.com - Ticket #65281: Ticket created

Subject:	VALARMs fail with taint-checks
Date:	Mon, 31 Jan 2011 12:02:55 +0100
To:	bug-Data-ICal [...] rt.cpan.org
From:	Peter Mogensen <apm [...] one.com>

Using: Perl: 5.10.1 Data::ICal: Ubuntu, libdata-ical-perl 0.16+dfsg-1 The require in sub _parse_valarm of Data/ICal/Entry.pm fails under taintchecks. To reproduce: ================================================== #!/usr/bin/perl -T use strict; use warnings; use Data::ICal; local $/ = undef; my $data = <DATA>; $ENV{PATH} = ''; my $tainteddata = qx{/bin/echo "$data"}; my $calendar = Data::ICal->new(data => $tainteddata); print $calendar->as_string; __DATA__ BEGIN:VCALENDAR PRODID:-//script VERSION:2.0 BEGIN:VEVENT SUMMARY: Test DTSTART:20110312T083000 DTEND:20110312T093000 BEGIN:VALARM TRIGGER:-PT30M REPEAT:2 DURATION:PT15M ACTION:DISPLAY DESCRIPTION: Hey END:VALARM END:VEVENT END:VCALENDAR

Fri Nov 25 05:47:17 2011 jaska [...] kivela.net - Ticket created

Subject:	Fwd: Data::ICal::Entry
Date:	Fri, 25 Nov 2011 12:47:04 +0200
To:	bug-data-ical [...] rt.cpan.org
From:	Jaska Kivelä <jaska [...] kivela.net>

Could you please add untainting $action to _parse_valarm so that it would not die when using -T. --clip-- # alarms have actions sub _parse_valarm { my ( $parent, $object ) = @_; # ick my $action = $object->{properties}->{ACTION}->[0]->{value}; die "Can't parse VALARM with action $action" unless exists $_action_map{$action}; $action =~ /^(\w*)$/; $action = $1; my $alarm_class = "Data::ICal::Entry::Alarm::" . $_action_map{$action}; eval "require $alarm_class"; die "Failed to require $alarm_class : $@" if $@; $alarm_class->import; my $alarm = $alarm_class->new; $parent->_parse_generic_event( $alarm, $object ); $parent->add_entry($alarm); return $alarm; } --clap-- -- Jaska Kivelä jaska@kivela.net Katistentie 61 +358-40-5762988 FIN-13250 HÄMEENLINNA http://www.kivela.net/jaska/ Finland

Download signature.asc
application/pgp-signature 262b

Message body not shown because it is not plain text.

Mon Oct 15 18:26:35 2012 tsibley [...] cpan.org - Subject changed from 'Fwd: Data::ICal::Entry' to 'Support running under taint-mode'

Mon Oct 15 18:26:35 2012 tsibley [...] cpan.org - Severity Wishlist added

Mon Oct 15 18:30:45 2012 tsibley [...] cpan.org - Ticket #65281: Merged into ticket #72719

Mon Oct 15 18:30:45 2012 tsibley [...] cpan.org - Merged into ticket #72719

Tue Feb 17 02:28:08 2015 cpan [...] chmrr.net - Correspondence added

Fixed in 0.22

Tue Feb 17 02:28:08 2015 The RT System itself - Status changed from 'new' to 'open'

Tue Feb 17 02:28:09 2015 cpan [...] chmrr.net - Status changed from 'open' to 'resolved'