The checkin of new revision did not work sometimes. Everything worked but the final
ci
call seemed to be omited. After enabling STDERR in Sandbox::sysCommand() (line 316) the following could be seen:
Insecure dependency in exec while running with -T switch at /home/www/twiki/lib/TWiki/Sandbox.pm line 317.
The command to be executed was generated by Store::RcsWrap::_ci(). The tainted variable being
$user
. I tracked it down to Client::ApacheLogin::getUser(). If the returned value is untainted the error disappears.
I don't know if the following is correct and sufficient, but it works for me:
sub getUser {
my $this = shift;
my $query = $this->{twiki}->{cgiQuery};
my $name;
if (defined($query)) {
$name = $query->remote_user();
if ($name) {
$name =~ /([a-zA-Z0-9]+)/ ;
$name = $1;
}
return $name;
}
return undef;
}
I'm wondering if this is related to
Item1559? Can you think of a way to reproduce this?
--
SP
Possibly caused by an old version of CGI.pm.
Untainted the user identity in Client.pm SVN 9163, SVN 9164
CC
Versions used by reporter:
- CGI 3.01
- CGI::Carp 1.27
- CGI::Cookie 1.25
- CGI::Session 4.03
TWiki:Main.UlfJastrow
Closed with the release of 4.0.2
KJL