Backtick system calls (rev 195 of trunk)

Detailed security audit results

Check Tasks.Item38 for latest status on this work.

  • DONE - These are OK (not a risk to end users) N = not in MANIFEST, C = commented out, E = in escaped literal, F = Fixed (the backticks have been removed from the file)
  • ALERT! - these are positively identified as risks; O = Outdated
  • blank means not examined
Review Where Comment
DONE N trunk/AdvertsPlugin/lib/TWiki/Plugins/AdvertsPlugin/build.pl  
ALERT! O trunk/AlbumOfSnapsPlugin/bin/AlbumOfSnapsScript Outdated and very strange code. If unused, might be worth removing the plugin
trunk/AlbumOfSnapsPlugin/lib/TWiki/Plugins/AlbumOfSnapsPlugin.pm
DONE N trunk/AnyWikiDrawPlugin/lib/TWiki/Plugins/AnyWikiDrawPlugin/build.pl  
  trunk/AnyWikiDrawPlugin/lib/TWiki/Plugins/AnyWikiDrawPlugin.pm  
DONE C trunk/ApprovalPlugin/tools/convert.pl  
DONE N trunk/AttachContentPlugin/lib/TWiki/Plugins/AttachContentPlugin/build.pl  
DONE E trunk/BeautifierPlugin/lib/HFile/HFile_bash.pm  
DONE E trunk/BeautifierPlugin/lib/HFile/HFile_verilog.pm  
DONE N trunk/BenchmarkContrib/lib/TWiki/Contrib/BenchmarkContrib/build.pl  
  trunk/BenchmarkContrib/lib/TWiki/Contrib/BenchmarkContrib/DProf.pm  
DONE N trunk/BuildContrib/build.pl  
DONE N trunk/BuildContrib/lib/TWiki/Contrib/BuildContrib/build.pl  
DONE trunk/BuildContrib/lib/TWiki/Contrib/Build.pm Part of the developer environment. Caveat emptor.
  trunk/CacheAddOn/bin/benchmark  
  trunk/CacheAddOn/bin/fresh  
  trunk/CacheChooserAddOn/bin/cache  
DONE N trunk/CalendarPlugin/lib/TWiki/Plugins/CalendarPlugin/build.pl  
DONE N trunk/ChildTopicsTag/lib/TWiki/Tags/ChildTopicsTag/build.pl  
DONE N trunk/CliRunnerContrib/lib/TWiki/Contrib/CliRunnerContrib/build.pl  
  trunk/CliRunnerContrib/lib/TWiki/Contrib/CliRunnerContrib.pm  
DONE N trunk/ComponentEditPlugin/lib/TWiki/Plugins/ComponentEditPlugin/build.pl  
DONE N trunk/core/build.pl  
DONE C trunk/core/lib/CPAN/lib/Algorithm/Diff.pm  
DONE E trunk/core/lib/CPAN/lib/Locale/Maketext/Extract.pm  
DONE E trunk/core/lib/LocalSite.cfg  
  trunk/core/lib/TWiki/Configure/Checker.pm  
  trunk/core/lib/TWiki/Configure/Checkers/cygwin.pm  
  trunk/core/lib/TWiki/Configure/UIs/EXTEND.pm  
DONE N trunk/core/lib/TWiki/Contrib/BuildContrib/build.pl  
DONE trunk/core/lib/TWiki/Contrib/Build.pm Part of the developer environment. Caveat emptor.
DONE N trunk/core/lib/TWiki/Contrib/core/build.pl  
DONE C trunk/core/lib/TWiki/Contrib/JSCalendarContrib.pm  
DONE N trunk/core/lib/TWiki/Contrib/MailerContrib/build.pl  
DONE C trunk/core/lib/TWiki/Func.pm  
DONE E trunk/core/lib/TWiki.pm  
DONE E trunk/core/lib/TWiki/Prefs/PrefsCache.pm  
DONE trunk/core/lib/TWiki/Sandbox.pm This is the only place where there should be a system call!
DONE E trunk/core/lib/TWiki/Search.pm  
DONE E trunk/core/lib/TWiki.spec  
DONE N trunk/core/mklinks.sh  
DONE N trunk/core/pseudo-install-twiki.pl  
DONE N trunk/core/test/bin/make_big.pl  
DONE N trunk/core/test/compiletest.pl  
DONE N trunk/core/test/runtest.pl  
DONE N trunk/core/test/tinderbox/rebuild-deploy-test-if-new.pl  
DONE N trunk/core/test/tinderbox/report-test.pl  
DONE N trunk/core/test/tinderbox/tinderbox.pl  
DONE N trunk/core/test/unit/RcsTests.pm  
DONE N trunk/core/test/unit/StoreSmokeTests.pm  
DONE N trunk/core/tools/admin/mrtg/twiki.cfg  
DONE N trunk/core/tools/benchmark/benchmark.Athens  
DONE N trunk/core/tools/benchmark/benchmark.Beijing  
DONE N trunk/core/tools/benchmark/benchmark.Cairo  
DONE N trunk/core/tools/benchmark/countlines.pl  
DONE N trunk/core/tools/benchmark/coverage.pl  
DONE N trunk/core/tools/benchmark.pl  
DONE N trunk/core/tools/build_all_extensions.pl  
DONE N trunk/core/tools/builddistros.pl  
DONE N trunk/core/tools/build.pl  
DONE N trunk/core/tools/buildTWikiRelease.pl  
DONE N trunk/core/tools/check_manifest.pl  
DONE N trunk/core/tools/check_requires.pl  
DONE N trunk/core/tools/check_translations  
DONE N trunk/core/tools/develop/analyse.pl  
DONE N trunk/core/tools/develop/cron.pl  
DONE N trunk/core/tools/develop/genwebnotify.pl  
DONE N trunk/core/tools/develop/hooks/commit-email.pl  
DONE N trunk/core/tools/develop/hooks/post-commit  
DONE N trunk/core/tools/develop/post-commit.pl  
DONE N trunk/core/tools/develop/pre-commit.pl  
DONE N trunk/core/tools/distro/svn2cl.xsl  
DONE N trunk/core/tools/distro/test.pl  
  trunk/core/tools/extender.pl  
DONE N trunk/core/tools/gendocs.pl Part of build system
ALERT! O N trunk/core/tools/install_defaultweb_topics.pl Part of TWiki shell work that was never completed. Remove.
DONE N trunk/core/tools/pkg/debian/copyright  
DONE N trunk/core/tools/pkg/debian/patches/001_WorkingDir.dpatch  
DONE N trunk/core/tools/pkg/debian/patches/002_fix-configure-installer-paths  
DONE N trunk/core/tools/pkg/debian/postinst  
DONE N trunk/core/tools/pkg/debian/postrm  
DONE N trunk/core/tools/pkg/debian/preinst.unused  
DONE N trunk/core/tools/pkg/twikiplugin2deb.sh Sven: Do you really use this?
DONE O trunk/core/tools/plugins_conformance_analyser.pl CDot: Any idea if this is still used? There was talk about using it again as part of a plugin appraisal process. It's a command-line script, is not released, and IMHO is pretty much irrelevant ATM - CDot
DONE N trunk/core/tools/TWikiKernel/build.pl  
DONE N trunk/core/tools/xgettext Very odd piece of code. Still used?
DONE N trunk/CpanContrib/lib/TWiki/Contrib/CpanContrib/build.pl WillNorris: Can you check please? And double-check the chmod -R 777 before the rm -rf
DONE N trunk/CreateTopicTag/lib/TWiki/Tags/CreateTopicTag/build.pl  
ALERT! trunk/DakarContrib/lib/TWiki/Contrib/DakarContrib.pm Same as Sandbox, but for Dakar. REMOVE
DONE N trunk/DBCacheContrib/lib/TWiki/Contrib/DBCacheContrib/build.pl  
DONE N trunk/DBCacheContrib/test/unit/DBCacheContrib/FileTimeTest.pm  
  trunk/DiskUsagePlugin/lib/TWiki/Plugins/DiskUsagePlugin.pm  
DONE N trunk/DistributionContrib/lib/TWiki/Contrib/DistributionContrib/build.pl  
DONE N trunk/DojoToolkitContrib/lib/TWiki/Contrib/DojoToolkitContrib/build.pl  
  trunk/DojoToolkitContrib/pub/TWiki/DojoToolkitContrib/dijit/bench/benchReceive.php  
  trunk/DojoToolkitContrib/pub/TWiki/DojoToolkitContrib/dojo/tests/resources/JSON.php  
  trunk/DojoToolkitContrib/pub/TWiki/DojoToolkitContrib/dojox/analytics/logger/JSON.php  
  trunk/DojoToolkitContrib/pub/TWiki/DojoToolkitContrib/dojox/grid/tests/support/data.php  
  trunk/DojoToolkitContrib/pub/TWiki/DojoToolkitContrib/dojox/grid/tests/support/json.php  
  trunk/DojoToolkitContrib/pub/TWiki/DojoToolkitContrib/dojox/rpc/tests/resources/JSON.php  
  trunk/DojoToolkitContrib/pub/TWiki/DojoToolkitContrib/util/buildscripts/build_release.sh  
  trunk/DojoToolkitContrib/pub/TWiki/DojoToolkitContrib/util/buildscripts/webbuild.php  
ALERT! O trunk/DolphinToTWikiAddOn/bin/dolphin2twiki  
  trunk/EasyTimelinePlugin/tools/EasyTimeline.pl  
DONE N trunk/EditContrib/lib/TWiki/Contrib/EditContrib/build.pl  
DONE N trunk/EditHiddenTablePlugin/lib/TWiki/Plugins/EditHiddenTablePlugin/build.pl  
DONE N trunk/EditTablerowPlugin/lib/TWiki/Plugins/EditTablerowPlugin/build.pl  
DONE F trunk/EmbedBibPlugin/lib/TWiki/Plugins/EmbedBibPlugin.pm  
DONE N trunk/EmptyContrib/lib/TWiki/Contrib/EmptyContrib/build.pl  
DONE N trunk/EmptyHeaderArtContrib/lib/TWiki/Contrib/EmptyHeaderArtContrib/build.pl  
DONE N trunk/EmptyPlugin/lib/TWiki/Plugins/EmptyPlugin/build.pl  
DONE N trunk/EmptyTag/lib/TWiki/Tags/EmptyTag/build.pl  
DONE N trunk/ExampleHeaderArtContrib/lib/TWiki/Contrib/ExampleHeaderArtContrib/build.pl  
DONE N trunk/ExcelImportExportPlugin/lib/TWiki/Plugins/ExcelImportExportPlugin/build.pl  
  trunk/ExecuterContrib/executer/lib/Slion/TWiki/Executer.pm StephaneLenclud: This plugin seems to be a high security risk. Any lock-down feature?
DONE N trunk/ExtTopicListPlugin/lib/TWiki/Plugins/ExtTopicListPlugin/build.pl  
DONE N trunk/FallbackPlugin/lib/TWiki/Plugins/FallbackPlugin/build.pl  
DONE N trunk/FirefoxBoosterPlugin/lib/TWiki/Plugins/FirefoxBoosterPlugin/build.pl  
  trunk/FirefoxExtensionAddOn/Makefile  
DONE C trunk/FlowchartPlugin/lib/TWiki/Plugins/FlowchartPlugin.pm  
DONE E trunk/FormQueryPlugin/lib/TWiki/Plugins/FormQueryPlugin/TableFormat.pm  
DONE N trunk/FuncContrib/lib/TWiki/Contrib/FuncContrib/build.pl  
DONE N trunk/FuncUsersContrib/lib/TWiki/Contrib/FuncUsersContrib/build.pl  
DONE N trunk/GenerateSearchPlugin/lib/TWiki/Plugins/GenerateSearchPlugin/build.pl  
  trunk/GenPDFLatexAddOn/lib/TWiki/Contrib/GenPDFLatex.pm  
DONE N trunk/GetAWebAddOn/lib/TWiki/Contrib/GetAWebAddOn/build.pl  
  trunk/GnuPlotPlugin/tools/gnuplot.pl  
DONE N trunk/HideInEditModePlugin/lib/TWiki/Plugins/HideInEditModePlugin/build.pl  
DONE N trunk/HtmlFormsPlugin/lib/TWiki/Plugins/HtmlFormsPlugin/build.pl  
DONE N trunk/ImgPlugin/lib/TWiki/Plugins/ImgPlugin/build.pl  
DONE N trunk/ImgTag/lib/TWiki/Tags/ImgTag/build.pl  
DONE N trunk/InclTag/lib/TWiki/Tags/InclTag/build.pl  
DONE N trunk/InlineEditPlugin/lib/TWiki/Plugins/InlineEditPlugin/build.pl  
  trunk/InlineEditPlugin/pub/TWiki/InlineEditPlugin/Wikiwyg-0.12/LICENSE  
DONE F trunk/IrcLogPlugin/lib/TWiki/Plugins/IrcLogPlugin.pm WillNorris: Could you check please?
DONE N trunk/IrcPlugin/lib/TWiki/Plugins/IrcPlugin/build.pl  
DONE N trunk/JQueryDevPlugin/lib/TWiki/Plugins/JQueryDevPlugin/build.pl  
DONE N trunk/JSCalendarContrib/lib/TWiki/Contrib/JSCalendarContrib/build.pl  
DONE C trunk/JSCalendarContrib/lib/TWiki/Contrib/JSCalendarContrib.pm  
DONE N trunk/JSPopupPlugin/lib/TWiki/Plugins/JSPopupPlugin/build.pl  
DONE N trunk/JSUnitContrib/lib/TWiki/Contrib/JSUnitContrib/build.pl  
  trunk/KoalaSkin/bin/koalaskin-generate  
  trunk/KoalaSkin/bin/ks_lastchanges.sh  
DONE F trunk/KoalaSkin/bin/savemulti  
  trunk/KwikiToTWikiAddOn/bin/kwiki2twiki.pl  
  trunk/LatexModePlugin/lib/TWiki/Plugins/LatexModePlugin/Parse.pm  
  trunk/LatexModePlugin/lib/TWiki/Plugins/LatexModePlugin/Render.pm  
DONE N trunk/LdapContrib/lib/TWiki/Contrib/LdapContrib/build.pl  
DONE N trunk/MailerContrib/lib/TWiki/Contrib/MailerContrib/build.pl  
DONE N trunk/TwistyContrib/lib/TWiki/Contrib/TwistyContrib/build.pl  
DONE N trunk/UnitTestContrib/test/unit/RcsTests.pm  
DONE N trunk/UnitTestContrib/test/unit/StoreSmokeTests.pm  
DONE N trunk/WidgetsSkin/lib/TWiki/Contrib/WidgetsSkin/build.pl  

Based on the table above created by CrawfordCurrie, I've looked into all scripts and tried to fix as much as possible.

I've removed a few entries which were irreleveant (Makefile, eps, etc...), and added some comments. I've fixed most of the build.pl scripts as many were simply due to one comment from the BuildContrib having a ` at the end of one line.

-- OlivierRaginel - 16.11.2008
Topic revision: r8 - 17 Nov 2008, OlivierRaginel
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy