On Tue, 6 Feb 2001, Brian Ingerson wrote:
> I will not be able to fix this myself until mid-March. But I
> would be happy to apply a patch if anyone wants to take this up.
>
> Stas Bekman wrote:
> > Apparently Inline.pm is not taint clean, I've discovered it while using
The following patch will untaint the contents of the config file. The
first line of the config file is now an MD5 "fingerprint" which is checked
before untainting. If you apply this patch, you will need to delete your
current config file so Inline can recreate it.
--- Inline-0.31/Inline.pm Sat Jan 13 23:02:12 2001
+++ Inline.pm Tue Feb 6 14:29:59 2001
@@ -342,10 +342,20 @@
$o->create_config_file("$DIRECTORY/config") if not -e "$DIRECTORY/config";
open CONFIG, "< $DIRECTORY/config"
- or croak "Can't open ${DIRECTORY}config for input\n";
+ or croak "Can't open $DIRECTORY/config for input\n";
+ my $digest = <CONFIG>;
my $config = join '', <CONFIG>;
close CONFIG;
+ # Check that file contents haven't been altered.
+ chomp $digest;
+ $digest eq md5_hex($config)
+ or croak("MD5 digest mismatch in $DIRECTORY/config\n");
+
+ # Untaint.
+ $config =~ /^(.*)\z/s;
+ $config = $1;
+
delete $main::{Inline::config::};
eval <<END;
;package Inline::config;
@@ -424,15 +434,20 @@
my $types = Data::Dumper::Dumper(\%types);
my $modules = Data::Dumper::Dumper(\%modules);
my $suffixes = Data::Dumper::Dumper(\%suffixes);
-
- open CONFIG, "> $file" or croak "Can't open $file for output\n";
- print CONFIG <<END;
+
+ my $config = <<END;
\$version = $Inline::VERSION;
%languages = %{$languages};
%types = %{$types};
%modules = %{$modules};
%suffixes = %{$suffixes};
END
+
+ # Add a bit of security.
+ $config = md5_hex($config) . "\n$config";
+
+ open CONFIG, "> $file" or croak "Can't open $file for output\n";
+ print CONFIG $config;
close CONFIG;
}
#==============================================================================
--
Tim Gim Yee
[EMAIL PROTECTED]
