Foswiki on GitHub is open for business! Next release meeting: Monday September 29, 1300Z

Item9456: Taint error with foswiki.fcgi

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Normal Closed Extension FastCGIEngineContrib  
When running with -T, the pid file needs to be untainted.

As a quick fix, we did this at line 59 of foswiki.fcgi:

# untaint
$pidfile =~ /^(.*)$/ and $pidfile = $1 ;

There is probably a better fix.

-- AndrewJones - 11 Aug 2010

Currently, foswiki.fcgi is designed to run with or without -T switch. Without the taint check, it re-executes itself with taint check on.

What Operating System, web server and perl version are you using? What is the file with the problem?

-- GilmarSantosJr - 11 Aug 2010

This is on RedHat 4, Perl 5.8.8 and the file is the pidfile, which when we passed the parameter to foswiki.fcgi was ./fcgi.pid. We start the FCGI process using the foswiki.fcgi script, and use Apache to proxy the requests to it.

The error:
Insecure dependency in open while running with -T switch at .../FCGI/ProcManager.pm line 374

-- AndrewJones - 11 Aug 2010

I could also confirm this on Debian Squeeze. I missed FCGI::ProcManager module and didn't get the pidfile nor the taint error.

I think your fix is OK wink

-- GilmarSantosJr - 12 Aug 2010

I cannot see this moving further. I released a version with this fix today + some docu updates.

If there are more taint issues people will report new errors.

Taint issues often come from CPAN libs and it does not have to mean we are in great danger. A PID file is not something an attacker from the web can change. So if this make the taint checker shut up it is OK.

-- KennethLavrsen - 26 Oct 2010
 

ItemTemplate edit

Summary Taint error with foswiki.fcgi
ReportedBy AndrewJones
Codebase
SVN Range
AppliesTo Extension
Component FastCGIEngineContrib
Priority Normal
CurrentState Closed
WaitingFor
Checkins Foswikirev:8512
TargetRelease n/a
ReleasedIn n/a
Topic revision: r8 - 26 Oct 2010, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License