Search the web
Sign In
New User? Sign Up
scrumwikidev · ScrumWiki Development
  • Members Only
  • Post
  • Files
  • Photos
  • Groups Labs (Beta)
? Already a member? Sign in to Yahoo!

Yahoo! Groups Tips

Did you know...
Hear how Yahoo! Groups has changed the lives of others. Take me there.

Best of Y! Groups

   Check them out and nominate your group.
Having problems with message search? Fill out this form to ensure your group is one of the first to be migrated to the new message search system.

Messages

   Messages Help
Message #
Search:
Advanced
taint mode problems   Message List  
Reply | Forward Message #26 of 125 |

(originally sent to feedback@...)
> We are attempting to use ScrumWiki for our project. We're
> on a Win2K platform using Apache 2.0. When we try to save
> our first page, we get a Perl error "Insecure dependency in
> open while running with -T switch."

This is perl enabling taint mode checking [1], which on the whole is a
very good idea. Thanks for reporting this.

You may be able to resolve it by disabling taint checking in your
apache conf, but this a bit like leaving your front door unlocked
because you cannot find your keys. Plus, I suspect it is the perl CGI
module that is enabling it.

To fix it in the code, see changes below. I'll roll these into the
next release whenever I get the time to do it.

You might hit some other similar problems with taint checking on, but
the 2 changes below got me a working version with taint checking
turned on. Let me know if you hit other problems.

Murray.


----


replace this (around line 3870)

sub WriteStringToFile {
my ($file, $string) = @_;

open (OUT, ">$file") or die(Ts('cant write %s', $file) . ": $!");
print OUT $string;
close(OUT);
}

sub AppendStringToFile {
my ($file, $string) = @_;

open (OUT, ">>$file") or die(Ts('cant write %s', $file) . ": $!");

with this:

sub WriteStringToFile {
my ($file, $string) = @_;

my $safe;
if ($file =~ /^([\w\d\\\/\.\_\-\(\)]+)$/) { $safe = $1; }
else { die("possibly un safe (tainted) file name"); }

open (OUT, ">$safe") or die(Ts('cant write %s', $safe) . ": $!");
print OUT $string;
close(OUT);
}

sub AppendStringToFile {
my ($file, $string) = @_;

my $safe;
if ($file =~ /^([\w\d\\\/\.\_\-\(\)]+)$/) { $safe = $1; }
else { die("possibly un safe (tainted) file name"); }

open (OUT, ">>$safe") or die(Ts('cant write %s', $safe) . ": $!");

and also replace this (around line 6976)

open(OUT, ">$file") or die("while trying to save $file $!");
binmode OUT;
if ($imgType eq 'gif') { print(OUT $im->gif); }
else { print(OUT $im->png); }
close(OUT);
$file .= '.small.' . $imgType;
open(OUT, ">$file") or die("while trying to save $file $!");

with this

my $safe;
if ($file =~ /^([\w\d\\\/\.\_\-\(\)]+)$/) { $safe = $1; }
else {
die("possibly un safe (tainted) file name");
}
open(OUT, ">$safe") or die("while trying to save $safe $!");
binmode OUT;
if ($imgType eq 'gif') { print(OUT $im->gif); }
else { print(OUT $im->png); }
close(OUT);
$safe .= '.small.' . $imgType;
open(OUT, ">$safe") or die("while trying to save $safe $!");
Thu Dec 9, 2004 6:16 pm

Show Message Option
mintywalker
Offline Offline
Send Email Send Email

Forward 		Message #26 of 125 |
Expand Messages Author Sort by Date

(originally sent to feedback@...) ... This is perl enabling taint mode checking [1], which on the whole is a very good idea. Thanks for reporting... 		mintywalker
Offline Send Email 		Dec 9, 2004
6:16 pm
< Prev Topic  |  Next Topic >
Message #
Search:
Advanced
Copyright © 2009 Yahoo! Inc. All rights reserved.
Privacy Policy - Terms of Service - Guidelines - Help