• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

From warn200509.txt:

Insecure dependency in exec while running with -T switch at /cygdrive/d/web/Dakar/lib/TWiki/Sandbox.pm line 319.
 at /cygdrive/d/web/Dakar/lib/TWiki/Sandbox.pm line 319
   TWiki::Sandbox::sysCommand('TWiki::Sandbox=HASH(0x58b15c)', '/usr/bin/co -x,v -q -p%REVISION% -ko %FILENAME% ', 'REVISION', 1.1, 'FILENAME', '/cygdrive/d/web/Dakar/data/Sandbox/RcsTest.txt') called at /cygdrive/d/web/Dakar/lib/TWiki/Store/RcsWrap.pm line 220
   TWiki::Store::RcsWrap::getRevision('TWiki::Store::RcsWrap=HASH(0x546f20)', 1) called at /cygdrive/d/web/Dakar/lib/TWiki/Store.pm line 180
   TWiki::Store::readTopicRaw('TWiki::Store=HASH(0xc97728)', 'TWiki::User=HASH(0xe86dfc)', 'Sandbox', 'RcsTest', 1) called at /cygdrive/d/web/Dakar/lib/TWiki/Store.pm line 123
   TWiki::Store::readTopic('TWiki::Store=HASH(0xc97728)', 'TWiki::User=HASH(0xe86dfc)', 'Sandbox', 'RcsTest', 1) called at /cygdrive/d/web/Dakar/lib/TWiki/UI/View.pm line 110
   TWiki::UI::View::view('TWiki=HASH(0x460fa0)') called at /cygdrive/d/web/Dakar/lib/TWiki/UI.pm line 107
   TWiki::UI::__ANON__() called at /cygdrive/d/web/Dakar/lib/Error.pm line 387
   eval {...} called at /cygdrive/d/web/Dakar/lib/Error.pm line 379
   Error::subs::try('CODE(0xe94848)', 'HASH(0xe94950)') called at /cygdrive/d/web/Dakar/lib/TWiki/UI.pm line 156
   TWiki::UI::run('CODE(0x480dd0)') called

The reason is that the version number is never untainted on its way from the URL to RCS.

The following suggested patch untaints the revision and really makes sure that it is a plain integer:

--- lib/TWiki/Store.pm.orig     2005-09-27 16:36:33.584623300 +0200
+++ lib/TWiki/Store.pm  2005-09-27 16:42:54.783976300 +0200
@@ -1682,8 +1682,7 @@
     return 0 unless $rev;
 
-    $rev =~ s/^r//i;
-    $rev =~ s/^\d+\.//; # clean up RCS rev number
+    $rev =~ /(\d+)$/;
 
-    return $rev;
+    return $1;
 }
 

Thanks Harald.

Interesting that I don't see this warning. possibly to do with perl version.

FYI we use Sandbox::untaintUnchecked rather than local untaints, so we can keep tabs on all intentional untaints.

SVN 6630

CC


I am not able to reproduce this with SUSE Linux 9.3 / perl 5.8.6 either. The report is from cygwin with perl 5.8.7-4. So perhaps it is the perl version, though there is no hint in perldelta. I definitely checked the cygwin installation with Scalar::Util::tainted() to verify that the version parameter is the culprit. Maybe it is the platform? If so, sorry for the noise...

-- TWiki:Main.HaraldJoerg

ItemTemplate
Summary Dakar Beta: Viewing old revision fails: "Insecure dependency in exec while running with -T switch"
ReportedBy TWiki:Main.HaraldJoerg
AppliesTo Engine
Priority Normal
CurrentState Closed
WaitingFor

Checkins 6630
Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatdiff Store.pm.diff r0 manage 0.3 K 2005-09-27 - 14:51 TWikiGuest The same patch as attachment
Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2005-09-27 - HaraldJoerg
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback