On Sat, Sep 08, 2001 at 05:43:15PM +0800, Stas Bekman wrote:
> On Sat, 8 Sep 2001, Philippe M . Chiasson wrote:
>
> > On Sat, Sep 08, 2001 at 05:15:19PM +0800, Stas Bekman wrote:
> > > On Sat, 8 Sep 2001, Philippe M . Chiasson wrote:
> > >
> > > > Small patch to supress an annoying taint warning
> > >
> > > Philippe, please inline the patches, so we could comment on these.
> >
> > Sure thing Stas. Will do that next time. Or do you prefer me to resend them all?
>
> No, no, that's fine.
>
> > > > And btw, this isn't safe at all, isn't it? It's just bypassing the
> > > > taint checking... Should it be fixed or what?
> > >
> > > According to perlsec manpage this is what should be done:
> > >
> > > $ENV{'PATH'} = '/bin:/usr/bin';
> > > delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
> > >
> > > hence in this particular case the patch should be:
> > >
> > > local %ENV;
> > > delete @ENV{ qw(PATH IFS CDPATH ENV BASH_ENV) };
> >
> > Simple curiosity : What about non-unixes OSes?
>
> I don't know. Just following the insructions from perlsec manpage. I guess
> that's what makes the open "|" untainted, so we make it happy. In any case
> this is supposed to be safe code, since it's just a build system. If the
> user doesn't trust the code, he has to read it all. I cannot see how this
> thing can be exploited.
Agreed ;-) Just asking...
> _____________________________________________________________________
> Stas Bekman JAm_pH -- Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide http://perl.apache.org/guide
> mailto:[EMAIL PROTECTED] http://apachetoday.com http://eXtropia.com/
> http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
>
>
--
Philippe M. Chiasson <[EMAIL PROTECTED]>
Extropia's Resident System Guru
http://www.eXtropia.com/
When you rewrite a compiler from scratch, you sometimes fix
things you didn't know were broken.
-- Larry Wall
perl -e '$$=\${gozer};{$_=unpack(P26,pack(L,$$));/^Just Another Perl
Hacker!\n$/&&print||$$++&&redo}'
PGP signature
