Bug#406205: libfile-find-rule-perl: Taint mode fails
Wolfgang Schemmel
bugs at dodgeit.com
Tue Jan 9 16:17:38 CET 2007
Package: libfile-find-rule-perl
Version: 0.30-2
Severity: important
Tags: patch
On etch, the taint mode won't work:
$ perl -MFile::Find::Rule -Tle '$rule=File::Find::Rule->new->extras({ untaint => 1 })->start($ARGV[0]); while ($f = $rule->match ) { print $f; }' .
Insecure dependency in chdir while running with -T switch at /usr/share/perl5/File/Find/Rule.pm line 591.
This _will_ render alls scripts, program and applications
using taint mode and this module unusable.
The bug is listed at CPAN for about 2 months now:
http://rt.cpan.org/Public/Bug/Display.html?id=20418
However, the untainting in that patch is just a slob job.
Mine does real untainting.
Patch (taken from working version 0.28 from sarge):
--- Rule.pm.030 2007-01-09 16:10:53.000000000 +0100
+++ Rule.pm.030.fixed 2007-01-09 16:10:53.000000000 +0100
@@ -575,6 +575,12 @@
my $sub = eval "$code" or die "compile error '$code' $@";
my $cwd = getcwd;
+ # Untaint it
+ if ( $cwd =~ qr|^([-+@\w./]+)$| ) {
+ $cwd = $1;
+ } else {
+ die "Couldn't untaint \$cwd: [$cwd]";
+ }
for my $path (@_) {
# $topdir is used for relative and maxdepth
$topdir = $path;
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (700, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-15)
Versions of packages libfile-find-rule-perl depends on:
ii libnumber-compare-perl 0.01-4 Perform numeric comparisons in Per
ii libtext-glob-perl 0.07-1 Match globbing patterns against te
ii perl 5.8.8-7 Larry Wall's Practical Extraction
ii perl-modules 5.8.8-7 Core Perl modules
libfile-find-rule-perl recommends no packages.
-- no debconf information
More information about the pkg-perl-maintainers
mailing list