[Pkg-privacy-commits] [msva-perl] 120/356: untaint $uid.
Ximin Luo
infinity0 at moszumanska.debian.org
Mon Aug 24 07:41:47 UTC 2015
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch debian
in repository msva-perl.
commit e0be50fa941e606da7a897248615a706637a48f3
Author: Jameson Rollins <jrollins at finestructure.net>
Date: Sat May 1 20:53:20 2010 -0400
untaint $uid.
Found out that $uid is in fact tainted while trying to use it in a
system() call in another context. We have untainted it here.
I think this actually means that perl's taint checking is broken,
because it fails to check for taint in the open() call to a
subprocesses.
---
msva-perl | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/msva-perl b/msva-perl
index fd5892e..4647721 100755
--- a/msva-perl
+++ b/msva-perl
@@ -324,12 +324,36 @@ use strict;
}
+ sub getuid {
+ my $data = shift;
+ if ($data->{context} =~ /(https|ssh)/) {
+ $data->{context} = $1;
+ } else {
+ return [];
+ }
+ if ($data->{peer} =~ /(^[^\s]*$)/) {
+ $data->{peer} = $1;
+ } else {
+ return [];
+ }
+ return $data->{context}.'://'.$data->{peer};
+ }
sub reviewcert {
my $data = shift;
return if !ref $data;
- my $uid = $data->{context}.'://'.$data->{peer};
+ my $status = '200 OK';
+ my $ret = { valid => JSON::false,
+ message => 'Unknown failure',
+ };
+
+ my $uid = getuid($data);
+ if ($uid eq []) {
+ msvalog('error', "invalid peer/context: %s/%s\n", $data->{context}, $data->{peer});
+ $ret->{message} = sprintf('invalid peer/context');
+ return $status, $ret;
+ }
my $rawdata = join('', map(chr, @{$data->{pkc}->{data}}));
my $cert = Crypt::X509->new(cert => $rawdata);
@@ -338,10 +362,6 @@ use strict;
msvalog('verbose', "cert pubkey algo: %s\n", $cert->PubKeyAlg());
msvalog('verbose', "cert pubkey: %s\n", unpack('H*', $cert->pubkey()));
- my $status = '200 OK';
- my $ret = { valid => JSON::false,
- message => 'Unknown failure',
- };
if ($cert->PubKeyAlg() ne 'RSA') {
$ret->{message} = sprintf('public key was algo "%s" (OID %s). MSVA.pl only supports RSA',
$cert->PubKeyAlg(), $cert->pubkey_algorithm);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/msva-perl.git
More information about the Pkg-privacy-commits
mailing list