ports/52386: [patch] devel/cvsweb and perl5.8

Vladimir I. Chukharev chu at gpi.ru
Sat May 17 22:30:16 UTC 2003 

>Number:         52386
>Category:       ports
>Synopsis:       [patch] devel/cvsweb and perl5.8
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 17 15:30:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Vladimir I. Chukharev
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
>Environment:
System: FreeBSD svak.h33.erkki.ton.tut.fi 4.8-STABLE FreeBSD 4.8-STABLE #3: Sun Apr 27 18:20:15 EEST 2003 root at svak.h33.erkki.ton.tut.fi:/usr/obj/usr/src/sys/SVAK i386

ports/devel/cvsweb

>Description:

I found this when installing cvsweb on RedHat-8 with perl5.8, but I guess 
it is the same everywhere. 
Patched version works on FreeBSD 4.8-STABLE fine.

In newer versions of perl the taint checks are a bit more strict. It warns
that parameters to exec() are tainted. The patch apply some simplistic
sanity check to one parameter and just silents perl about the other
parameter (full pathname). 

Perhaps the RE in lines with 'FIX ME ?' should be corrected.
And should 'die' be just 'exit(-1)'?

>How-To-Repeat:

Run cvsweb.cgi on a system with perl5.8, e.g. Linux RedHat 8.0 :^)
You will see in the error logs of httpd something similar to

[Tue May 13 17:05:17 2003] [error] [client xxx.yyy.40.12] Use of tainted arguments in exec is deprecated at cvsweb.pl line 2339., referer:RRRR


>Fix:

--- cvsweb.cgi.patch begins here ---
--- cvsweb.cgi.orig	Sat May 17 23:51:48 2003
+++ cvsweb.cgi	Sat May 17 23:51:42 2003
@@ -2331,6 +2331,16 @@
 
 	print("Going to rlog '$fullname'\n") if ($verbose);
 	if (!open($fh, "-|")) {    # child
+        	if ($revision =~ /^([-\@\w.]*)$/) {# FIX ME ?
+        	    $revision = $1;                # $revision now untainted
+        	} else {
+        	    die "Bad data in $revision";   # log this somewhere
+        	}
+        	if ($fullname =~ /^(.*)$/) {	   # FIX ME ? just silence taint check
+        	    $fullname = $1;                # $fullname now untainted
+        	} else {
+        	    die "Bad data in $fullname";   # log this somewhere
+        	}
 		if ($revision ne '') {
 			openOutputFilter();
 			exec($CMD{rlog}, $revision, $fullname) or exit -1;
--- cvsweb.cgi.patch ends here ---

V.Chukharev
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list