On Sat, 8 Sep 2001, Philippe M . Chiasson wrote:
> On Sat, Sep 08, 2001 at 05:15:19PM +0800, Stas Bekman wrote:
> > On Sat, 8 Sep 2001, Philippe M . Chiasson wrote:
> >
> > > Small patch to supress an annoying taint warning
> >
> > Philippe, please inline the patches, so we could comment on these.
>
> Sure thing Stas. Will do that next time. Or do you prefer me to resend them all?
No, no, that's fine.
> > > And btw, this isn't safe at all, isn't it? It's just bypassing the
> > > taint checking... Should it be fixed or what?
> >
> > According to perlsec manpage this is what should be done:
> >
> > $ENV{'PATH'} = '/bin:/usr/bin';
> > delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
> >
> > hence in this particular case the patch should be:
> >
> > local %ENV;
> > delete @ENV{ qw(PATH IFS CDPATH ENV BASH_ENV) };
>
> Simple curiosity : What about non-unixes OSes?
I don't know. Just following the insructions from perlsec manpage. I guess
that's what makes the open "|" untainted, so we make it happy. In any case
this is supposed to be safe code, since it's just a build system. If the
user doesn't trust the code, he has to read it all. I cannot see how this
thing can be exploited.
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:[EMAIL PROTECTED] http://apachetoday.com http://eXtropia.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
