Item9456: Taint error with foswiki.fcgi
Priority: Normal
Current State: Closed
Released In: n/a
Target Release: n/a
When running with -T, the pid file needs to be untainted.
As a quick fix, we did this at line 59 of
foswiki.fcgi
:
# untaint
$pidfile =~ /^(.*)$/ and $pidfile = $1 ;
There is probably a better fix.
--
AndrewJones - 11 Aug 2010
Currently,
foswiki.fcgi
is designed to run with or without -T switch. Without the taint check, it re-executes itself with taint check on.
What Operating System, web server and perl version are you using? What is the file with the problem?
--
GilmarSantosJr - 11 Aug 2010
This is on RedHat 4, Perl 5.8.8 and the file is the pidfile, which when we passed the parameter to
foswiki.fcgi
was
./fcgi.pid
. We start the FCGI process using the
foswiki.fcgi
script, and use Apache to proxy the requests to it.
The error:
Insecure dependency in open while running with -T switch at .../FCGI/ProcManager.pm line 374
--
AndrewJones - 11 Aug 2010
I could also confirm this on Debian Squeeze. I missed
FCGI::ProcManager
module and didn't get the pidfile nor the taint error.
I think your fix is OK
--
GilmarSantosJr - 12 Aug 2010
I cannot see this moving further. I released a version with this fix today + some docu updates.
If there are more taint issues people will report new errors.
Taint issues often come from CPAN libs and it does not have to mean we are in great danger. A PID file is not something an attacker from the web can change. So if this make the taint checker shut up it is OK.
--
KennethLavrsen - 26 Oct 2010