Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file
Niko Tyni
ntyni at debian.org
Thu Jan 21 20:28:33 UTC 2016
On Tue, Jan 19, 2016 at 11:25:47AM +0200, Teodor Milkov wrote:
> I've just installed libcgi-session-perl 4.48-3, but still my twiki spew the
> following error:
>
> /Insecure dependency in sysopen while running with -T switch at
> /usr/share/perl5/CGI/Session/Driver/file.pm line 107. /
Sorry to hear that. Which version of twiki is that?
The taint bug in CGI::Session with a test case at
https://rt.cpan.org/Public/Bug/Display.html?id=80346
is now fixed, so your problem seems to be a different issue.
It may well be in twiki itself rather than CGI::Session.
In the latter case, we will need a short test case for triggering this.
Twiki itself is not part of Debian, and for my part I'm not particularly
interested in setting one up and debugging it.
> I had to apply the following patch to mute it:
> --- tmp/file.pm 2016-01-19 11:17:45.000000000 +0200
> +++ /usr/share/perl5/CGI/Session/Driver/file.pm 2016-01-19
> 11:11:46.000000000 +0200
> @@ -52,6 +52,8 @@
> return $self->set_error( "_file(): Session ids cannot contain \\ or
> / chars: $sid" );
> }
>
> + ($sid) = $sid =~ /(.*)/;
> +
> return File::Spec->catfile($self->{Directory}, sprintf( $FileName, $sid
> ));
> }
While I'm glad it solved your immediate problem, that looks like a
band-aid fix for the symptoms. It doesn't fix the root cause. If $sid is
tainted due to external reasons, it's not the place of CGI::Session to
untaint it. OTOH, if something in CGI::Session makes it unnecessarily
tainted (as was the case in the bug we fixed), that's something we
can fix.
I'm copying Peter Thoeny, the TWiki author. Peter, would you be willing
to work with us to try and find the reason for these taint problems? The
full bug log so far can be found in https://bugs.debian.org/810799
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list