[Pkg-privacy-commits] [msva-perl] 120/356: untaint $uid.

Ximin Luo infinity0 at moszumanska.debian.org
Mon Aug 24 07:41:47 UTC 2015 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch debian
in repository msva-perl.

commit e0be50fa941e606da7a897248615a706637a48f3
Author: Jameson Rollins <jrollins at finestructure.net>
Date:   Sat May 1 20:53:20 2010 -0400

    untaint $uid.
    
    Found out that $uid is in fact tainted while trying to use it in a
    system() call in another context.  We have untainted it here.
    
    I think this actually means that perl's taint checking is broken,
    because it fails to check for taint in the open() call to a
    subprocesses.
---
 msva-perl | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/msva-perl b/msva-perl
index fd5892e..4647721 100755
--- a/msva-perl
+++ b/msva-perl
@@ -324,12 +324,36 @@ use strict;
   }
 
 
+  sub getuid {
+    my $data = shift;
+    if ($data->{context} =~ /(https|ssh)/) {
+      $data->{context} = $1;
+    } else {
+      return [];
+    }
+    if ($data->{peer} =~ /(^[^\s]*$)/) {
+      $data->{peer} = $1;
+    } else {
+      return [];
+    }
+    return $data->{context}.'://'.$data->{peer};
+  }
 
   sub reviewcert {
     my $data  = shift;
     return if !ref $data;
 
-    my $uid = $data->{context}.'://'.$data->{peer};
+    my $status = '200 OK';
+    my $ret =  { valid => JSON::false,
+                 message => 'Unknown failure',
+               };
+
+    my $uid = getuid($data);
+    if ($uid eq []) {
+        msvalog('error', "invalid peer/context: %s/%s\n", $data->{context}, $data->{peer});
+        $ret->{message} = sprintf('invalid peer/context');
+        return $status, $ret;
+    }
 
     my $rawdata = join('', map(chr, @{$data->{pkc}->{data}}));
     my $cert = Crypt::X509->new(cert => $rawdata);
@@ -338,10 +362,6 @@ use strict;
     msvalog('verbose', "cert pubkey algo: %s\n", $cert->PubKeyAlg());
     msvalog('verbose', "cert pubkey: %s\n", unpack('H*', $cert->pubkey()));
 
-    my $status = '200 OK';
-    my $ret =  { valid => JSON::false,
-                 message => 'Unknown failure',
-               };
     if ($cert->PubKeyAlg() ne 'RSA') {
       $ret->{message} = sprintf('public key was algo "%s" (OID %s).  MSVA.pl only supports RSA',
                                 $cert->PubKeyAlg(), $cert->pubkey_algorithm);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/msva-perl.git

More information about the Pkg-privacy-commits mailing list