Bug#629511: marked as done (can report invalid data as valid in untaint mode)

Tue, 07 Jun 2011 04:06:44 -0700 

Your message dated Tue, 07 Jun 2011 11:03:13 +0000
with message-id <[email protected]>
and subject line Bug#629511: fixed in libdata-formvalidator-perl 4.66-3
has caused the Debian Bug report #629511,
regarding can report invalid data as valid in untaint mode
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
629511: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629511
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libdata-formvalidator-perl
Version: 4.66-2
Severity: important
Tags: security squeeze sid wheezy upstream
Forwarded: https://rt.cpan.org/Ticket/Display.html?id=61792

If there is a previous match in $&, the validation routine erroneously 
returns success:

$ perl <<'EOF'
use Data::FormValidator;

"bug" =~ /b/;

my $result = Data::FormValidator->check(
    { a => 'b' },   # input data
    {   # validation profile
        untaint_all_constraints => 1,
        optional => [ 'a' ],
        constraints => {
            a => qr/a/,     # RE that must match
        },
    },
);
print $result->success, "\n";
EOF
1
$

The following patch fixes the bug by correcting the check for a 
successful match.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
--- a/lib/Data/FormValidator/Results.pm
+++ b/lib/Data/FormValidator/Results.pm
@@ -807,7 +807,7 @@ sub _create_sub_from_RE {
             # With methods, the value is the second argument
             my $val = $force_method_p ? $_[1] : $_[0];
             my ($match) = scalar ($val =~ $re);
-            if ($untaint_this && defined $match) {
+            if ($untaint_this && $match) {
                 # pass the value through a RE that matches anything to untaint 
it.
                 my ($untainted) = ($&  =~ m/(.*)/s);
                 return $untainted;
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

I plan to push this via squeeze-updates, unless the security team 
considers it suitable for a DSA.


Cheers!

-- System Information:
Debian Release: wheezy/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=bg_BG.utf8, LC_CTYPE=bg_BG.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libdata-formvalidator-perl depends on:
ii  libemail-valid-perl         0.184-1      Perl module for checking the valid
ii  libfile-mmagic-perl         1.27-1       Perl module to guess file type
ii  libimage-size-perl          3.230-1      module for determining image sizes
ii  libmime-types-perl          1.30-1       Perl extension for determining MIM
ii  libperl6-junction-perl      1.40000-1    Perl6 style Junction operators in 
ii  libregexp-common-perl       2011041701-1 module with common regular express
ii  perl                        5.12.3-7     Larry Wall's Practical Extraction 

Versions of packages libdata-formvalidator-perl recommends:
ii  libdate-calc-perl             6.0-2+b1   Perl library for accessing dates

libdata-formvalidator-perl suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: libdata-formvalidator-perl
Source-Version: 4.66-3

We believe that the bug you reported is fixed in the latest version of
libdata-formvalidator-perl, which is due to be installed in the Debian FTP 
archive:

libdata-formvalidator-perl_4.66-3.debian.tar.gz
  to 
main/libd/libdata-formvalidator-perl/libdata-formvalidator-perl_4.66-3.debian.tar.gz
libdata-formvalidator-perl_4.66-3.dsc
  to main/libd/libdata-formvalidator-perl/libdata-formvalidator-perl_4.66-3.dsc
libdata-formvalidator-perl_4.66-3_all.deb
  to 
main/libd/libdata-formvalidator-perl/libdata-formvalidator-perl_4.66-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <[email protected]> (supplier of updated libdata-formvalidator-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Jun 2011 13:48:47 +0300
Source: libdata-formvalidator-perl
Binary: libdata-formvalidator-perl
Architecture: source all
Version: 4.66-3
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Damyan Ivanov <[email protected]>
Description: 
 libdata-formvalidator-perl - module to validate user input, mainly for HTML 
forms
Closes: 629511
Changes: 
 libdata-formvalidator-perl (4.66-3) unstable; urgency=low
 .
   * add a patch fixing a possible passing of invalid data in untaint mode
     Closes: #629511
   * Claim conformance with Policy 3.9.2 (no changes)
Checksums-Sha1: 
 161dd19820f4f8ae64dc25856787b3b128ec4c55 2525 
libdata-formvalidator-perl_4.66-3.dsc
 9b9b2adce753416b4b2919a6bfa11a04ba27af14 5082 
libdata-formvalidator-perl_4.66-3.debian.tar.gz
 0d9f8df8a72b2a745d97dfc242aadbf1e4ceadb6 98302 
libdata-formvalidator-perl_4.66-3_all.deb
Checksums-Sha256: 
 f2bc9d3d780e98a3b3a2d1197fe4d89e37a30f9110e068f5bdb7b4ae7efff476 2525 
libdata-formvalidator-perl_4.66-3.dsc
 418510d1e5aa63c27b24ea67b192128a057d0a342650148584de5e83e15c6eed 5082 
libdata-formvalidator-perl_4.66-3.debian.tar.gz
 039bd0eafc763633024d8770647d13ed49585bc6a56a2e5151e58e41a05f96f2 98302 
libdata-formvalidator-perl_4.66-3_all.deb
Files: 
 9542b7f81374ea9d5bf512953608b4ed 2525 perl optional 
libdata-formvalidator-perl_4.66-3.dsc
 01c64832e114eb9381979f8ab95e886c 5082 perl optional 
libdata-formvalidator-perl_4.66-3.debian.tar.gz
 016e7086a486be6856a40cb2467c38d5 98302 perl optional 
libdata-formvalidator-perl_4.66-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJN7gJMAAoJEOQbTFV/DYC+0qcP/RpKI44moQHjhGfu5OAmD4Z0
sSUWIYVIQEhz7XLJ48/eEQKCv1MEvrPG05KPZ0Lgf9+JuOtR3KK90BpoeTcacqe3
hvpBx0CsF9KbsaIs7Q2zfzLQGI0h4Eb58sikZGu0m8Yi3WnqdQZ/hf1kh3twJZPp
hJJgXbVte151TpN8YhOT0hSugaD6hiu7Hu+lY2DaepvozjjmOnNlZbbahh3mqopL
iXusuqLwCkkqYNUyszTivFaWuZy933R0vqmQd28QwZkyHY5PnV86bnamAfMq16Bn
Als1WbyqKxGJlkqsKZ9WCnv+Vmy191EIDNcw4uwhlWGv1JMCfRp1Lm/G1KX9vcVW
saPWNDkUDPezvF8x4q1jnhczuU6m8UXi6TXeYGD/LTSZUlB6GC/VarVRnnp+6ek+
LqMYUJkMyVRXjnLgpL9GfEQMDxhk826DRbxeomemZH5HRAl9hgE3sQ2SQpzt0f1V
20jVGSPAZwA8pXiXQmoBwrYiADi0nQpx/8IdHcrDE0G9NGKWknRHSW+DKYhG56yI
XB8OAtqsW0NbEH5wT1zlmDv7RWoxvHjQicnV3kokwpIawRg9mDV1G9DhC59CkazZ
K8Rzs5alqA6rNk2JdiQaTWxOgtV/zsBXvpUZGaQlj70SRcBNaacK8N3XnPKrr2xR
p1gY1VVAQdu8s72k4f/f
=jNoH
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to