Priority: Normal
Current State: Closed
Released In: 1.1.0
Target Release: patch
Applies To: Engine
Component:
Branches:
In order to quick fix the
Item1197 configure extension installer fails with taint error, I decided to remove the taint check in 1.0.4
The developers that normally maintains configure cannot see all these taint issues the short term fix is - disable taint checking
I am did this only in configure and only in Release01x00 branch.
I keep taint checking on in the other scripts because
- The configure taint issues are mainly related to extensions installation which is hard to test and therefore have low test coverage compared to view, save etc etc
- The configure script is normally (unless you are a fool) protected against general access and contains features that by nature is much more hackable than what you can sneak in via tainted data. Example you can replace the commands for RCS and execute anything you want IF you have access to configure AND IF you have the configure save password
Feel free to undo this temp fix when you have fixed the last taint issues in configure
This bug report is to maintain focus on getting this issue resolved.
Scope for such fix should be 1.0.5 if we decide to do a 1.0.5 or no later than 1.1
--
KennethLavrsen - 05 Mar 2009
I agree with your assessment of the severity of taint checking in configure, to the extent that I am lowering this to Normal priority. It really isn't urgent.
--
CrawfordCurrie - 14 Mar 2009
Touched for Sven's attention.
--
CrawfordCurrie - 06 Jun 2010
looks to me like configure in trunk
does have -wT, so closing ..
--
SvenDowideit - 18 Jun 2010