Item8538: Unit tests run without taint checking, and miss taint issues
Current State: Closed
Released In: 1.0.10, 1.1.0
Target Release: patch
The Unit Test framework TestRunner
.pl does not enable Taint checking, where as the live web environment runs with the -T flag enabled.
This can result in missed issues in the unit tests compared to the live web environment, and it is not possible to write a unit test to expose Taint issues.
Enabling -T breaks TestRunner
.pl in several places
- In the BEGIN block, $root is tainted
- glob processing in the -clean routine is tainted.
- File::Find in TestRunner.pm needs untaint => 1 option.
- Several modules add relative paths to the @INC resulting in taint errors
- 16 Feb 2010
TODO: Review whether
taints its data structures the same way a real
with CGI does.
- 24 May 2010
Finally found the taint issue with DependencyTests
- FoswikiSuite.pm: push( @INC, '.' ); This will taint the path
- FoswikiTestCase.pm: unshift @INC, '../../bin'; # SMELL: dodgy (Yes - taints the path)
- TestRunner.pl: Cleanly adds to the path. The above modules duplicate the paths.
I've been able to comment out the @INC additions - especially the relative ../../ path - and spot-checking, tests still run.
- 26 May 2010
Reopening this to get Release 1.0 unit tests to run with -T flag. With these commits, the tests run except for MailerContrib
, which has two failures.
- 20 Jun 2010