Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file

Peter Thoeny peter09 at thoeny.org
Sat Feb 13 23:36:15 UTC 2016 

Hi Niko and Teodor,

Sorry for the delay in replying, my inbox is not a good place to track bugs.

Please see related TWiki support question at:
http://twiki.org/cgi-bin/view/Support/SID-02145

Here is the TWiki bug number we use to track the taint issue:
http://develop.twiki.org/~twiki/cgi-bin/view/Bugs/Item7721#r1

Please feel free to pitch in there as well.

Regards,
Peter


On Jan 21, 2016, at 12:28 PM, Niko Tyni <ntyni at debian.org> wrote:

> On Tue, Jan 19, 2016 at 11:25:47AM +0200, Teodor Milkov wrote:
> 
>> I've just installed libcgi-session-perl 4.48-3, but still my twiki spew the
>> following error:
>> 
>> /Insecure dependency in sysopen while running with -T switch at
>> /usr/share/perl5/CGI/Session/Driver/file.pm line 107. /
> 
> Sorry to hear that. Which version of twiki is that?
> 
> The taint bug in CGI::Session with a test case at
> https://rt.cpan.org/Public/Bug/Display.html?id=80346
> is now fixed, so your problem seems to be a different issue.
> It may well be in twiki itself rather than CGI::Session.
> 
> In the latter case, we will need a short test case for triggering this.
> Twiki itself is not part of Debian, and for my part I'm not particularly
> interested in setting one up and debugging it.
> 
>> I had to apply the following patch to mute it:
> 
>> --- tmp/file.pm 2016-01-19 11:17:45.000000000 +0200
>> +++ /usr/share/perl5/CGI/Session/Driver/file.pm 2016-01-19
>> 11:11:46.000000000 +0200
>> @@ -52,6 +52,8 @@
>>         return $self->set_error( "_file(): Session ids cannot contain \\ or
>> / chars: $sid" );
>>     }
>> 
>> +    ($sid) = $sid =~ /(.*)/;
>> +
>>     return File::Spec->catfile($self->{Directory}, sprintf( $FileName, $sid
>> ));
>> }
> 
> While I'm glad it solved your immediate problem, that looks like a
> band-aid fix for the symptoms. It doesn't fix the root cause. If $sid is
> tainted due to external reasons, it's not the place of CGI::Session to
> untaint it. OTOH, if something in CGI::Session makes it unnecessarily
> tainted (as was the case in the bug we fixed), that's something we
> can fix.
> 
> I'm copying Peter Thoeny, the TWiki author. Peter, would you be willing
> to work with us to try and find the reason for these taint problems? The
> full bug log so far can be found in https://bugs.debian.org/810799
> -- 
> Niko Tyni   ntyni at debian.org

--
> Peter Thoeny     - Peter09[at]Thoeny.org
> http://bit.ly/MrTWiki - consulting on enterprise collaboration
> http://TWiki.org - is your team already TWiki enabled?
> http://qualityHDR.com - Quality HDR Photography
> Knowledge cannot be managed, it can be discovered and shared
> This e-mail is:   (_) private    (_) ask first    (x) public

More information about the pkg-perl-maintainers mailing list