• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

I've re-pro'd this report from irc, using my debian woody vm - the user also said they had the sime error on 5.8.0, and would be unable to upgrade in either case

the problem line 1180 is:

    foreach (<$tmpDir/$name.*>) {

********************************
Insecure dependency in glob while running with -T switch at /usr/lib/cgi-bin/DEVELOP/lib/TWiki/UI/Register.pm line 1180.
        TWiki::UI::Register::_deleteUserContext('SvenDowideit.7954', '/usr/lib/cgi-bin/DEVELOP/data/RegistrationApprovals') called at /usr/lib/cgi-bin/DEVELOP/lib/TWiki/UI/Register.pm line 703
        TWiki::UI::Register::finish('TWiki=HASH(0x80f58a8)', '/usr/lib/cgi-bin/DEVELOP/data/RegistrationApprovals') called at /usr/lib/cgi-bin/DEVELOP/lib/TWiki/UI/Register.pm line 87
        TWiki::UI::Register::register_cgi('TWiki=HASH(0x80f58a8)') called at /usr/lib/cgi-bin/DEVELOP/lib/TWiki/UI.pm line 97
        TWiki::UI::__ANON__() called at /usr/lib/cgi-bin/DEVELOP/lib/CPAN/lib///Error.pm line 387
        eval {...} called at /usr/lib/cgi-bin/DEVELOP/lib/CPAN/lib///Error.pm line 379
        Error::subs::try('CODE(0x8936f78)', 'HASH(0x892f788)') called at /usr/lib/cgi-bin/DEVELOP/lib/TWiki/UI.pm line 146
        TWiki::UI::run('CODE(0x82293a4)') called

-- SD

Is there anything else special about this setup? I don't get this problem.

Name comes from the secret - in this case 'SvenDowideit.7954' its 'SvenDowideit'.

I guess we'd need to apply a regex filter to untaint it. I don't know what the accepted approach is nowaday - stripping out the usual gang of suspects using Sandbox?

-- MC

Untaint as soon as possible (immediately after reading the string and verifying it is valid is best). Use Sandbox:untaintUnchecked to untaint it. CC

i love the idea of untainting the * in name.*

Martin - the version of perl is what's special frown

SD

and now i can't reproduce it anymore - but its lead to a few new things -- SD

ItemTemplate
Summary user registration has a taint error in _deleteuserContet (perl 5.6.1)
ReportedBy SvenDowideit
AppliesTo Engine
Priority Urgent
CurrentState Closed
WaitingFor

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r7 - 2005-11-03 - SvenDowideit
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback