Closed Bug 441921 Opened 16 years ago Closed 16 years ago

context=file fails due to taint issues in file names and file rev numbers

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
3.1.4
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 3.2

People

(Reporter: LpSolit, Assigned: LpSolit)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(1 file)

patch, v1
(deleted), patch
himorin
: review+
Details | Diff | Splinter Review 
Follow the URL above. You get:

  Insecure dependency in system while running with -T switch at /usr/lib/perl5/vendor_perl/5.8.8/PatchReader/CVSClient.pm line 60.

I cannot reproduce this problem in Bugzilla 3.0.4+, which makes me think bug 410902 could be the culprit. Investigating!
Flags: blocking3.2+
OK, I don't get it at all. In /usr/lib/perl5/vendor_perl/5.8.8/PatchReader/Raw.pm, next_line() contains:

  if ($line =~ /^---\s*(\S+)\s*\t([^\t\r\n]*)\s*(\S*)/) {
    [...]
    $this->{FILE_STATE}{old_revision} = $3 if $3;

and guess what? Adding the line

    die "bah, $3 is tainted!!" if is_tainted($3);

dies, meaning that $3 is tainted. How is that possible??? The goal of the regexp is to untaint the data.
That's ridiculous. $line itself is not tainted, but $3 is!
That sounds like a bug in Perl itself. I've seen those from time to time, with taint mode.
So why can I only reproduce the problem with Bugzilla 3.1.4/3.3 but not with 3.0.4?
Interesting, $attachment->{data} = Encode::decode_utf8($attachment->data); causes the problem. Without this line, context=file is working fine. What I don't understand is that is_tainted($attachment->data) returns false, both before and after the call to decode_utf8().
OK, the problem only occurs with Perl 5.8.8, but doesn't with Perl 5.8.1, 5.8.5 nor with 5.10.0. Upgrading Encoding.pm from 2.12 (the version used in Perl 5.8.8) to 2.25 (latest release) doesn't help.
Attached patch patch, v1 (deleted) — Splinter Review 
Replace Encode::decode_utf8() by utf8::decode() to work around a bug in Perl 5.8.8. My testing shows no regression. himorin, could you confirm?
Attachment #326946 - Flags: review?
Attachment #326946 - Flags: review? → review?(shimono)
reproduced on perl 5.8.8 and worked fine with the patch.
system environment with checksetup.pl is as the followings. (debian etch with my package repository of perl packages)

$ perl -MEncode -e 'print Encode->VERSION'
2.12
$ ./checksetup.pl 
* This is Bugzilla 3.3 on perl 5.8.8
* Running on Linux 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007

Checking perl modules...
Checking for              CGI.pm (v2.93)   ok: found v3.15 
Checking for            TimeDate (v2.21)   ok: found v2.22 
Checking for           PathTools (v0.84)   ok: found v3.12 
Checking for                 DBI (v1.41)   ok: found v1.53 
Checking for    Template-Toolkit (v2.15)   ok: found v2.19 
Checking for          Email-Send (v2.00)   ok: found v2.181 
Checking for          Email-MIME (v1.861)  ok: found v1.861 
Checking for Email-MIME-Modifier (v1.442)  ok: found v1.442 

Checking available perl DBD modules...
Checking for              DBD-Pg (v1.45)    not found 
Checking for           DBD-mysql (v4.00)   ok: found v4.006 
Checking for          DBD-Oracle (v1.19)    not found 

The following Perl modules are optional:
Checking for                  GD (v1.20)   ok: found v2.34 
Checking for               Chart (v1.0)    ok: found v2.4.1 
Checking for         Template-GD (any)     ok: found v1.56 
Checking for          GDTextUtil (any)     ok: found v0.86 
Checking for             GDGraph (any)     ok: found v1.4308 
Checking for            XML-Twig (any)     ok: found v3.26 
Checking for          MIME-tools (v5.406)  ok: found v5.420 
Checking for         libwww-perl (any)     ok: found v2.033 
Checking for         PatchReader (v0.9.4)  ok: found v0.9.5 
Checking for          PerlMagick (any)     ok: found v6.2.4 
Checking for           perl-ldap (any)     ok: found v0.33 
Checking for         SASL-Authen (any)      not found 
Checking for          RadiusPerl (any)      not found 
Checking for           SOAP-Lite (any)     ok: found v0.69 
Checking for         HTML-Parser (v3.40)   ok: found v3.55 
Checking for       HTML-Scrubber (any)     ok: found v0.08 
Checking for Email-MIME-Attachment-Stripper (any)      not found 
Checking for         Email-Reply (any)      not found 
Checking for            mod_perl (v1.999022)  not found 
Checking for              CGI.pm (v3.11)   ok: found v3.15 

Comment on attachment 326946 [details] [diff] [review]
patch, v1

for testing the patch.
Attachment #326946 - Flags: review?(shimono) → review+
Depends on: 410902
Flags: approval3.2+
Flags: approval+
tip:

Checking in Bugzilla/Attachment/PatchReader.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Attachment/PatchReader.pm,v  <--  PatchReader.pm
new revision: 1.6; previous revision: 1.5
done

3.1.4:

Checking in Bugzilla/Attachment/PatchReader.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Attachment/PatchReader.pm,v  <--  PatchReader.pm
new revision: 1.5.2.1; previous revision: 1.5
done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: