You are here: Foswiki>Tasks Web>Item14910 (28 Mar 2022, MichaelDaum)Edit Attach

Item14910: Remove Taint::Runtime

pencil
Priority: Normal
Current State: Closed
Released In: 2.1.7
Target Release: patch
Applies To: Extension
Component: UnitTestContrib, core
Branches: Release02x01 master
Reported By: TimothyLegge
Waiting For:
Last Change By: MichaelDaum
CPAN:File::Copy::Recursive fails under taint mode with

Insecure dependency in chdir while running with -T switch

See below.

       FuncTests::test_moveTopic
***  Insecure dependency in chdir while running with -T switch at /usr/share/perl5/vendor_perl/File/Copy/Recursive.pm line 413.
 at /home/tim/foswiki/core/test/unit/FoswikiTestCase.pm line 45.
#09;FoswikiTestCase::__ANON__("Insecure dependency in chdir while running with -T switch at "...) called at /usr/share/perl5/vendor_perl/File/Copy/Recursive.pm line 413
#09;File::Copy::Recursive::pathempty("Name1") called at /usr/share/perl5/vendor_perl/File/Copy/Recursive.pm line 475
#09;File::Copy::Recursive::pathrmdir("Name1") called at /usr/share/perl5/vendor_perl/File/Copy/Recursive.pm line 405
#09;File::Copy::Recursive::pathempty("ATTACHMENTS") called at /usr/share/perl5/vendor_perl/File/Copy/Recursive.pm line 475
#09;File::Copy::Recursive::pathrmdir("ATTACHMENTS") called at /usr/share/perl5/vendor_perl/File/Copy/Recursive.pm line 405
#09;File::Copy::Recursive::pathempty("/home/tim/foswiki/core/data/TemporaryFuncTestWebFunc/SourceTo"...) called at /usr/share/perl5/vendor_perl/File/Copy/Recursive.pm line 475
#09;File::Copy::Recursive::pathrmdir("/home/tim/foswiki/core/data/TemporaryFuncTestWebFunc/SourceTo"...) called at /usr/share/perl5/vendor_perl/File/Copy/Recursive.pm line 115
#09;File::Copy::Recursive::__ANON__(0, "/home/tim/foswiki/core/data/TemporaryFuncTestWebFunc/SourceTo"..., "/home/tim/foswiki/core/data/TemporaryFuncTestWebFunc/TargetTo"...) called at /usr/share/perl5/vendor_perl/File/Copy/Recursive.pm line 339
#09;File::Copy::Recursive::dirmove("/home/tim/foswiki/core/data/TemporaryFuncTestWebFunc/SourceTo"..., "/home/tim/foswiki/core/data/TemporaryFuncTestWebFunc/TargetTo"...) called at /home/tim/foswiki/core/lib/Foswiki/Store/PlainFile.pm line 1420
#09;Foswiki::Store::PlainFile::_moveFile("/home/tim/foswiki/core/data/TemporaryFuncTestWebFunc/SourceTo"..., "/home/tim/foswiki/core/data/TemporaryFuncTestWebFunc/TargetTo"...) called at /home/tim/foswiki/core/lib/Foswiki/Store/PlainFile.pm line 293
#09;Foswiki::Store::PlainFile::moveTopic(Foswiki::Store::PlainFile=HASH(0x55cb6b54add0), Foswiki::Meta=HASH(0x55cb6b5a8b50), Foswiki::Meta=HASH(0x55cb6b536bd8), "BaseUserMapping_666") called at /home/tim/foswiki/core/lib/Foswiki/Meta.pm line 2293
#09;Foswiki::Meta::__ANON__() called at /usr/share/perl5/vendor_perl/Error.pm line 465
#09;eval {...} called at /usr/share/perl5/vendor_perl/Error.pm line 454
#09;Error::subs::try(CODE(0x55cb6b17a338), HASH(0x55cb6b40cbe0)) called at /home/tim/foswiki/core/lib/Foswiki/Meta.pm line 2310
#09;Foswiki::Meta::move(Foswiki::Meta=HASH(0x55cb6b5a8b50), Foswiki::Meta=HASH(0x55cb6b536bd8)) called at /home/tim/foswiki/core/lib/Foswiki/Func.pm line 2179
#09;Foswiki::Func::moveTopic("TemporaryFuncTestWebFunc", "SourceTopic", "TemporaryFuncTestWebFunc", "TargetTopic") called at /home/tim/foswiki/core/test/unit/FuncTests.pm line 1220
#09;FuncTests::test_moveTopic(FuncTests=HASH(0x55cb6ae90900)) called at /home/tim/foswiki/core/lib/Unit/TestRunner.pm line 575
#09;Unit::TestRunner::__ANON__() called at /usr/share/perl5/vendor_perl/Error.pm line 465
#09;eval {...} called at /usr/share/perl5/vendor_perl/Error.pm line 454
#09;Error::subs::try(CODE(0x55cb6b11af48), HASH(0x55cb6b50e6f8)) called at /home/tim/foswiki/core/lib/Unit/TestRunner.pm line 602
#09;Unit::TestRunner::runOne(Unit::TestRunner=HASH(0x55cb58f08a38), FuncTests=HASH(0x55cb6ae90900), "FuncTests", undef) called at /home/tim/foswiki/core/lib/Unit/TestRunner.pm line 163
#09;Unit::TestRunner::start(Unit::TestRunner=HASH(0x55cb58f08a38), "FoswikiSuite.pm") called at ../bin/TestRunner.pl line 143.
 
        FuncTests::test_checkAccessPermission

-- TimothyLegge - 28 May 2020

The tainted string is created within File::Copy::Recursive, line 375

my $starting_point = Cwd::cwd();

This string is tainted. And we can't do anything about it. My advice would be to disable taintedness in the unit tests. Either once and forever, or via

export FOSWIKI_NOTAINT=1

before running the tests.

-- MichaelDaum - 28 May 2020

We do not run Foswiki in taint mode anyway. So the tests don't need it either. CPAN modules fail under it anyway. Without taint mode compiling locale files is fine as well.

So I am going to remove Taint::Runtime and all of the fun code working around it.

-- MichaelDaum - 13 Oct 2020
 
Topic revision: r5 - 28 Mar 2022, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy