Item9456: Taint error with foswiki.fcgi

Priority: Normal
Current State: Closed
Released In: n/a
Target Release: n/a
Applies To: Extension
Component: FastCGIEngineContrib
Reported By: AndrewJones
Waiting For:
Last Change By: KennethLavrsen
When running with -T, the pid file needs to be untainted.

As a quick fix, we did this at line 59 of foswiki.fcgi:

# untaint
$pidfile =~ /^(.*)$/ and $pidfile = $1 ;

There is probably a better fix.

-- AndrewJones - 11 Aug 2010

Currently, foswiki.fcgi is designed to run with or without -T switch. Without the taint check, it re-executes itself with taint check on.

What Operating System, web server and perl version are you using? What is the file with the problem?

-- GilmarSantosJr - 11 Aug 2010

This is on RedHat 4, Perl 5.8.8 and the file is the pidfile, which when we passed the parameter to foswiki.fcgi was ./fcgi.pid. We start the FCGI process using the foswiki.fcgi script, and use Apache to proxy the requests to it.

The error:
Insecure dependency in open while running with -T switch at .../FCGI/ProcManager.pm line 374

-- AndrewJones - 11 Aug 2010

I could also confirm this on Debian Squeeze. I missed FCGI::ProcManager module and didn't get the pidfile nor the taint error.

I think your fix is OK wink

-- GilmarSantosJr - 12 Aug 2010

I cannot see this moving further. I released a version with this fix today + some docu updates.

If there are more taint issues people will report new errors.

Taint issues often come from CPAN libs and it does not have to mean we are in great danger. A PID file is not something an attacker from the web can change. So if this make the taint checker shut up it is OK.

-- KennethLavrsen - 26 Oct 2010
 
Topic revision: r8 - 26 Oct 2010, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License