On Tue, Jan 19, 2016 at 11:25:47AM +0200, Teodor Milkov wrote: > I've just installed libcgi-session-perl 4.48-3, but still my twiki spew the > following error: > > /Insecure dependency in sysopen while running with -T switch at > /usr/share/perl5/CGI/Session/Driver/file.pm line 107. /
Sorry to hear that. Which version of twiki is that? The taint bug in CGI::Session with a test case at https://rt.cpan.org/Public/Bug/Display.html?id=80346 is now fixed, so your problem seems to be a different issue. It may well be in twiki itself rather than CGI::Session. In the latter case, we will need a short test case for triggering this. Twiki itself is not part of Debian, and for my part I'm not particularly interested in setting one up and debugging it. > I had to apply the following patch to mute it: > --- tmp/file.pm 2016-01-19 11:17:45.000000000 +0200 > +++ /usr/share/perl5/CGI/Session/Driver/file.pm 2016-01-19 > 11:11:46.000000000 +0200 > @@ -52,6 +52,8 @@ > return $self->set_error( "_file(): Session ids cannot contain \\ or > / chars: $sid" ); > } > > + ($sid) = $sid =~ /(.*)/; > + > return File::Spec->catfile($self->{Directory}, sprintf( $FileName, $sid > )); > } While I'm glad it solved your immediate problem, that looks like a band-aid fix for the symptoms. It doesn't fix the root cause. If $sid is tainted due to external reasons, it's not the place of CGI::Session to untaint it. OTOH, if something in CGI::Session makes it unnecessarily tainted (as was the case in the bug we fixed), that's something we can fix. I'm copying Peter Thoeny, the TWiki author. Peter, would you be willing to work with us to try and find the reason for these taint problems? The full bug log so far can be found in https://bugs.debian.org/810799 -- Niko Tyni nt...@debian.org
