From
warn200509.txt
:
Insecure dependency in exec while running with -T switch at /cygdrive/d/web/Dakar/lib/TWiki/Sandbox.pm line 319.
at /cygdrive/d/web/Dakar/lib/TWiki/Sandbox.pm line 319
TWiki::Sandbox::sysCommand('TWiki::Sandbox=HASH(0x58b15c)', '/usr/bin/co -x,v -q -p%REVISION% -ko %FILENAME% ', 'REVISION', 1.1, 'FILENAME', '/cygdrive/d/web/Dakar/data/Sandbox/RcsTest.txt') called at /cygdrive/d/web/Dakar/lib/TWiki/Store/RcsWrap.pm line 220
TWiki::Store::RcsWrap::getRevision('TWiki::Store::RcsWrap=HASH(0x546f20)', 1) called at /cygdrive/d/web/Dakar/lib/TWiki/Store.pm line 180
TWiki::Store::readTopicRaw('TWiki::Store=HASH(0xc97728)', 'TWiki::User=HASH(0xe86dfc)', 'Sandbox', 'RcsTest', 1) called at /cygdrive/d/web/Dakar/lib/TWiki/Store.pm line 123
TWiki::Store::readTopic('TWiki::Store=HASH(0xc97728)', 'TWiki::User=HASH(0xe86dfc)', 'Sandbox', 'RcsTest', 1) called at /cygdrive/d/web/Dakar/lib/TWiki/UI/View.pm line 110
TWiki::UI::View::view('TWiki=HASH(0x460fa0)') called at /cygdrive/d/web/Dakar/lib/TWiki/UI.pm line 107
TWiki::UI::__ANON__() called at /cygdrive/d/web/Dakar/lib/Error.pm line 387
eval {...} called at /cygdrive/d/web/Dakar/lib/Error.pm line 379
Error::subs::try('CODE(0xe94848)', 'HASH(0xe94950)') called at /cygdrive/d/web/Dakar/lib/TWiki/UI.pm line 156
TWiki::UI::run('CODE(0x480dd0)') called
The reason is that the version number is never untainted on its way from the URL to RCS.
The following suggested patch untaints the revision and
really makes sure that it is a plain integer:
--- lib/TWiki/Store.pm.orig 2005-09-27 16:36:33.584623300 +0200
+++ lib/TWiki/Store.pm 2005-09-27 16:42:54.783976300 +0200
@@ -1682,8 +1682,7 @@
return 0 unless $rev;
- $rev =~ s/^r//i;
- $rev =~ s/^\d+\.//; # clean up RCS rev number
+ $rev =~ /(\d+)$/;
- return $rev;
+ return $1;
}
Thanks Harald.
Interesting that I don't see this warning. possibly to do with perl version.
FYI we use Sandbox::untaintUnchecked rather than local untaints, so we can keep tabs on all intentional untaints.
SVN 6630
CC
I am not able to reproduce this with SUSE Linux 9.3 / perl 5.8.6 either. The report is from cygwin with perl 5.8.7-4. So perhaps it is the perl version, though there is no hint in
perldelta
. I definitely checked the cygwin installation with
Scalar::Util::tainted()
to verify that the version parameter is the culprit. Maybe it is the platform? If so, sorry for the noise...
--
TWiki:Main.HaraldJoerg