Re: Errors when committing to webwml

To: debian-www@lists.debian.org
Subject: Re: Errors when committing to webwml
From: victory.deb@gmail.com
Date: Wed, 07 Oct 2009 02:28:41 +0900
Message-id: <[🔎] 20091007022836.04D5.C7917478@gmail.com>
In-reply-to: <[🔎] 20091006135700.GA3085@ftbfs.org>
References: <[🔎] alpine.DEB.2.00.0910061309420.11693@ds9.cixit.se> <[🔎] 20091006135700.GA3085@ftbfs.org>

On Tue, 6 Oct 2009 06:57:00 -0700
Matt Kraai <kraai@ftbfs.org> wrote:

> > Insecure dependency in unlink while running setgid at /cvs/webwml/CVSROOT/log_accum.pl line 63.

54 sub cleanup_tmpfiles {
55     local($wd, @files);
57    $wd = `pwd`;
58    chdir("$TMP_DIR") || die("Can't chdir('$TMP_DIR')\n");
59    opendir(DIR, ".");
60    push(@files, grep(/^$FILE_PREFIX\..*\.$id$/, readdir(DIR)));
61    closedir(DIR);
62    foreach (@files) {
63	unlink $_;
64    }
65    unlink $LAST_FILE . "." . $id;
67    chdir($wd);
68}

> 63	unlink $_; this line uses returned value ASIS from readdir(DIR). 

perl claims about it so i think you'll able to avoid it by doing something like
s/[^_-\w\d.]//g; (or more narrower) before unlink.

http://perldoc.perl.org/perlsec.html may help..

-- 
victory

Reply to:

Follow-Ups:
- Re: Errors when committing to webwml
  - From: Matt Kraai <kraai@ftbfs.org>

References:
- Errors when committing to webwml
  - From: Peter Krefting <peter@softwolves.pp.se>
- Re: Errors when committing to webwml
  - From: Matt Kraai <kraai@ftbfs.org>

Prev by Date: Re: Possible problem with ipv6 in security.debian.org
Next by Date: Re: Possible problem with ipv6 in security.debian.org
Previous by thread: Re: Errors when committing to webwml
Next by thread: Re: Errors when committing to webwml
Index(es):
- Date
- Thread