NOTE: If you are a developer, please use a private wiki based on foswiki/trunk on a daily base ...or use trunk.foswiki.org to view this page for some minimal testing.
Use Item9693 for docu changes for 1.2 and 2.0.
You are here: Foswiki>Tasks Web>Item9069 (08 Sep 2010, KennethLavrsen) Edit this topic text (e) Attach an image or document to this topic; manage existing attachments (a) View sequential topic history View without formatting (v) Create new topic Printable version of this topic (p) More: delete or rename this topic; set parent topic; view and compare revisions (m)

Item9069: MailerContrib::WebNotify fails with Taint issues. Subscriber names/addresses are tainted.

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Normal Closed Extension MailerContrib   
    MailerContribSuite::testSimple
*** Assertion failed!
 at /var/www/SVN/foswiki/core/lib/Assert.pm line 64
    Assert::ASSERT(undef) called at /var/www/SVN/foswiki/core/lib/Foswiki.pm line 3425
    Foswiki::topicExists('Foswiki=HASH(0x1e39e5a0)', 'TemporaryMailerContribTestsUsersWeb', 'TestGroup') called at /var/www/SVN/foswiki/core/lib/Foswiki/Users/TopicUserMapping.pm line 605
    Foswiki::Users::TopicUserMapping::eachGroupMember('Foswiki::Users::TopicUserMapping=HASH(0x1e383d98)', 'TestGroup') called at /var/www/SVN/foswiki/core/lib/Foswiki/Users.pm line 820
    Foswiki::Users::eachGroupMember('Foswiki::Users=HASH(0x1e3844d8)', 'TestGroup') called at /var/www/SVN/foswiki/core/lib/Foswiki/Func.pm line 960
    Foswiki::Func::eachGroupMember('TestGroup') called at /var/www/SVN/foswiki/core/lib/Foswiki/Contrib/MailerContrib/WebNotify.pm line 129
    Foswiki::Contrib::MailerContrib::WebNotify::subscribe('Foswiki::Contrib::MailerContrib::WebNotify=HASH(0x1e459398)', 'TestGroup', '*', 0, 0) called at /var/www/SVN/foswiki/core/lib/Foswiki/Contrib/Maile
    Foswiki::Contrib::MailerContrib::WebNotify::_load('Foswiki::Contrib::MailerContrib::WebNotify=HASH(0x1e459398)') called at /var/www/SVN/foswiki/core/lib/Foswiki/Contrib/MailerContrib/WebNotify.pm line 5
    Foswiki::Contrib::MailerContrib::WebNotify::new('Foswiki::Contrib::MailerContrib::WebNotify', 'TemporaryMailerContribTestsTestWebMailerContribTests', 'WebNotify') called at /var/www/SVN/foswiki/core/lib
    Foswiki::Contrib::MailerContrib::_processWeb('TemporaryMailerContribTestsTestWebMailerContribTests') called at /var/www/SVN/foswiki/core/lib/Foswiki/Contrib/MailerContrib.pm line 91
    Foswiki::Contrib::MailerContrib::mailNotify('ARRAY(0x1e21ce48)', 0, undef, 0, 0) called at /var/www/SVN/foswiki/core/test/unit/MailerContrib/MailerContribSuite.pm line 280
    MailerContribSuite::testSimple('MailerContribSuite=HASH(0x1dee34c8)') called at /var/www/SVN/foswiki/core/lib/Unit/TestRunner.pm line 311

Fixed with SMELL. I'm untainting the subscriber without validation. The subscriber has already passed through the Email validations and local email validations. I suspect this should be safe, but needs validation.

-- GeorgeClark - 27 May 2010

Reviewed, thanks George. Though I don't understand why the untaint is required there (it definitely is)

-- CrawfordCurrie - 27 May 2010

Reopening to apply the same patch to 1.0.10. Changing status to waiting for release,

 

ItemTemplate edit

Summary MailerContrib::WebNotify fails with Taint issues. Subscriber names/addresses are tainted.
ReportedBy GeorgeClark
Codebase 1.0.9, trunk
SVN Range
AppliesTo Extension
Component MailerContrib
Priority Normal
CurrentState Closed
WaitingFor
Checkins Foswikirev:7568 Foswikirev:7570 Foswikirev:7858
TargetRelease patch
ReleasedIn 1.0.10, 1.1.0
Edit | Attach | Print version | History: r9 < r8 < r7 < r6 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r9 - 08 Sep 2010, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons LicenseGet Foswiki at sourceforge.net. Fast, secure and Free Open Source software downloads