New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spamassassin and tainted mode #9805
Comments
From mmaslano@redhat.comCreated by mmaslano@redhat.comThe new version of spam assassin is affected by perl tainted Perl Info
|
From @obraMarcela, After reviewing the linked spamassassin bug, it's not clear to me what's It would be hugely helpful to us if you could give us a bit more Thanks, |
The RT System itself - Status changed from 'new' to 'open' |
From mmaslano@redhat.comOn 10/10/2009 10:47 PM, Jesse via RT wrote:
Upstream claims it was solved by this commit 0abd0d7 - disable non-unicode case insensitive trie matching -- |
@Tux - Status changed from 'open' to 'resolved' |
@demerphq - Status changed from 'resolved' to 'open' |
From @demerphqI have reopened this ticket. That this patch fixed this problem says |
From Mark.Martinec@ijs.si
Where does this claim come from? I'm the reporter of the #69973 bug (closed by the above mentioned patch), I tried several times to boil down a tainted-$1 case to a smallish sub _open_mode_string { yet when this code is isolated in a test program the problem Workarounds range from avoiding use of r/w/a in IO::File::open, Mark |
From Mark.Martinec@ijs.siSee also: Mark |
From @demerphq2009/11/3 Mark Martinec <Mark.Martinec@ijs.si>:
Are you experiencing it on 5.10? And what about 5.11/blead? cheers, -- |
From @demerphq2009/11/3 Mark Martinec <Mark.Martinec@ijs.si>:
Yes, knowing if this is fixed without the localizations would be nice. Also it would be really nice to get to the bottom of this. I have looked at the regex code and i have looked at the $1 fetch At the very least we should assert that it isnt. Yves -- |
From Mark.Martinec@ijs.si
I believe the I'm pretty well barricaded behind these local($1) containments now, I'm running 5.10.1 on our mailers now. I suppose I could Mark |
From Mark.Martinec@ijs.siYves,
Done. And I believe I have it distilled now to a small test case.
#!/usr/bin/perl -T use strict; my $mailbox = 'abc@example.com'; # $1 and $2 become tainted my($nm) = 'aaa-ccc'; # not tainted Mark |
From @rgarcia2009/11/5 Mark Martinec <Mark.Martinec@ijs.si>:
At 1st glance I would say that is because $1 and $2 appear in the same | For efficiency reasons, Perl takes a conservative view of |
From @demerphq2009/11/6 Mark Martinec <Mark.Martinec@ijs.si>:
I concur, it seems to me to be a bug if $1 becomes tainted at all. I mean the whole way of detainting things is via rewgex capture vars, Yves -- |
From Mark.Martinec@ijs.siOn Thursday November 5 2009 23:57:05 Rafael Garcia-Suarez wrote:
I don't think that is the problem per se. The point is that in the s/^aaa-(.*)$/$1/ the $1 is supposed Mark |
From Mark.Martinec@ijs.si
Not to forget that the program uses: use re 'taint', so I believe Not sure if it still applies to 5.10.1, but I should point out While I can understand how the Mark |
From @demerphq2009/11/6 Mark Martinec <Mark.Martinec@ijs.si>:
I totally missed the re 'taint'. apologies. yves -- |
From @iabynOn Thu, Nov 05, 2009 at 09:28:10PM +0100, Mark Martinec wrote:
Now fixed by commit 447ee13 commit 447ee13 RT #67962: $1 treated as tainted in untainted match Affected files ... Differences ... Inline Patch
In the 70's we wore flares because we didn't know any better. |
@iabyn - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#67962 (status was 'resolved')
Searchable as RT67962$
The text was updated successfully, but these errors were encountered: