Item5994: turn on taint mode in configure and fix the problems

Priority: Urgent
Current State: Closed
Released In:
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: TWiki:Main.SvenDowideit
Waiting For:
Last Change By: KwangErnLiew
cos its less secure without.

And while we're at it, remove the files from the logos dir and replace them with inline css images.

-- TWiki:Main/SvenDowideit - 11 Sep 2008

Is anyone doing this within the next few days for 4.2.4 or is this a 5.0 release blocker. I agree that at least for 5.0 this should be done. But better if we can do it for 4.2.4.

-- TWiki:Main.KennethLavrsen - 18 Sep 2008

I'll see what I can do...

-- TWiki:Main.OlivierRaginel - 29 Sep 2008

Sorry, didn't had much time lately, and had troubles with my development installation. So I guess for 4.2.4 it's too late, but I'll try and do it anyway.

-- TWiki:Main.OlivierRaginel - 10 Oct 2008

I enabled taint mode and fixed the (minor, safe) problems it showed up. Note that I was forced to default $ENV{PATH} to the value of same when configure is first run. However I think the risk of this causing problems is extremely small.

-- TWiki:Main.CrawfordCurrie - 12 Oct 2008

This was marked as an urgent bug for 4.2.4. But the fix was only checked into trunk - ie 5.0

It that a mistake or ??

-- TWiki:Main.KennethLavrsen - 13 Oct 2008

Oh, forgot I was supposed to merge. Don't have a 4.2.4 checkout here, will get to it eventually.

Done.

Reverted the merge, cos I merged to the tag instead of the branch. D'oh!

Finally got it right

-- TWiki:Main.CrawfordCurrie - 16 Oct 2008

Reopened. I just found out that when you change ConfigurationLogFile, the entered value will be used by an open(..), and thus barfs on using a tainted value as file path.

-- Foswiki:Main.KoenMartens - 26 Nov 2008
Topic revision: r24 - 08 Jan 2009, KwangErnLiew
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License