| Subject: | --server, --port parameters not untainted |
devbot uses perl taint mode (which is a good thing), but it does not untaint the parameters of --server and --port when passing them to POE. So calling:
$ perl -T -I perl5/lib/perl5/ perl5/bin/devbot --server irc.perl.org
results in:
Event _do_connect in session 1 raised exception:
Insecure dependency in connect while running with -T switch at perl5/lib/perl5//POE/Wheel/SocketFactory.pm line 977.
To fix this, the parameters need to be checked for wellformedness.
The attached patch tries to accomplish that.
| Subject: | 0001-untaint-server-and-port.patch |
From b1d28a63f3315004c15d70f519937c780fd83e91 Mon Sep 17 00:00:00 2001
From: Philipp Gortan <philipp.gortan@apa.at>
Date: Mon, 30 Jun 2014 16:45:32 +0200
Subject: [PATCH] untaint --server and --port
---
Makefile.PL | 3 ++-
lib/App/Devbot.pm | 12 +++++++++---
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/Makefile.PL b/Makefile.PL
index a83aa86..446b493 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -19,7 +19,8 @@ WriteMakefile(
POE 0
POE::Component::IRC::Plugin::AutoJoin 0
POE::Component::IRC::Plugin::NickServID 0
- POE::Component::IRC::State 0/,
+ POE::Component::IRC::State 0
+ Regexp::Common 0/,
},
META_MERGE => {
dynamic_config => 0,
diff --git a/lib/App/Devbot.pm b/lib/App/Devbot.pm
index 1e0f5c8..d7cd700 100644
--- a/lib/App/Devbot.pm
+++ b/lib/App/Devbot.pm
@@ -15,11 +15,10 @@ use IRC::Utils qw/parse_user/;
use Getopt::Long;
use POSIX qw/strftime/;
+use Regexp::Common qw /net/;
##################################################
-our $VERSION;
-
my $nick='devbot';
my $password;
my $server='irc.oftc.net';
@@ -73,7 +72,14 @@ sub bot_start{
Retry_when_banned => 60,
));
- $irc->yield(register => "all");
+ if ($server =~ /^($RE{net}{domain})$/) {
+ $server = $1;
+ }
+ if ($port =~ /^([0-9]+)$/) {
+ $port = $1;
+ }
+
+ $irc->yield(register => "all");
$irc->yield(
connect => {
Nick => $nick,
--
1.8.5.5