You are here: Foswiki>Tasks Web>Item1207 (18 Jun 2010, SvenDowideit)Edit Attach

Item1207: Reapply taint check in configure

pencil
Priority: Normal
Current State: Closed
Released In: 1.1.0
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: KennethLavrsen
Waiting For:
Last Change By: SvenDowideit
In order to quick fix the Item1197 configure extension installer fails with taint error, I decided to remove the taint check in 1.0.4

The developers that normally maintains configure cannot see all these taint issues the short term fix is - disable taint checking

I am did this only in configure and only in Release01x00 branch.

I keep taint checking on in the other scripts because
  • The configure taint issues are mainly related to extensions installation which is hard to test and therefore have low test coverage compared to view, save etc etc
  • The configure script is normally (unless you are a fool) protected against general access and contains features that by nature is much more hackable than what you can sneak in via tainted data. Example you can replace the commands for RCS and execute anything you want IF you have access to configure AND IF you have the configure save password

Feel free to undo this temp fix when you have fixed the last taint issues in configure

This bug report is to maintain focus on getting this issue resolved.

Scope for such fix should be 1.0.5 if we decide to do a 1.0.5 or no later than 1.1

-- KennethLavrsen - 05 Mar 2009

I agree with your assessment of the severity of taint checking in configure, to the extent that I am lowering this to Normal priority. It really isn't urgent.

-- CrawfordCurrie - 14 Mar 2009

Touched for Sven's attention.

-- CrawfordCurrie - 06 Jun 2010

looks to me like configure in trunk does have -wT, so closing ..

-- SvenDowideit - 18 Jun 2010

ItemTemplate edit

Summary Reapply taint check in configure
ReportedBy KennethLavrsen
Codebase
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Component
Priority Normal
CurrentState Closed
WaitingFor
Checkins
TargetRelease patch
ReleasedIn 1.1.0
Topic revision: r4 - 18 Jun 2010, SvenDowideit
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy