Hi Niko and Teodor, Sorry for the delay in replying, my inbox is not a good place to track bugs.
Please see related TWiki support question at: http://twiki.org/cgi-bin/view/Support/SID-02145 Here is the TWiki bug number we use to track the taint issue: http://develop.twiki.org/~twiki/cgi-bin/view/Bugs/Item7721#r1 Please feel free to pitch in there as well. Regards, Peter On Jan 21, 2016, at 12:28 PM, Niko Tyni <nt...@debian.org> wrote: > On Tue, Jan 19, 2016 at 11:25:47AM +0200, Teodor Milkov wrote: > >> I've just installed libcgi-session-perl 4.48-3, but still my twiki spew the >> following error: >> >> /Insecure dependency in sysopen while running with -T switch at >> /usr/share/perl5/CGI/Session/Driver/file.pm line 107. / > > Sorry to hear that. Which version of twiki is that? > > The taint bug in CGI::Session with a test case at > https://rt.cpan.org/Public/Bug/Display.html?id=80346 > is now fixed, so your problem seems to be a different issue. > It may well be in twiki itself rather than CGI::Session. > > In the latter case, we will need a short test case for triggering this. > Twiki itself is not part of Debian, and for my part I'm not particularly > interested in setting one up and debugging it. > >> I had to apply the following patch to mute it: > >> --- tmp/file.pm 2016-01-19 11:17:45.000000000 +0200 >> +++ /usr/share/perl5/CGI/Session/Driver/file.pm 2016-01-19 >> 11:11:46.000000000 +0200 >> @@ -52,6 +52,8 @@ >> return $self->set_error( "_file(): Session ids cannot contain \\ or >> / chars: $sid" ); >> } >> >> + ($sid) = $sid =~ /(.*)/; >> + >> return File::Spec->catfile($self->{Directory}, sprintf( $FileName, $sid >> )); >> } > > While I'm glad it solved your immediate problem, that looks like a > band-aid fix for the symptoms. It doesn't fix the root cause. If $sid is > tainted due to external reasons, it's not the place of CGI::Session to > untaint it. OTOH, if something in CGI::Session makes it unnecessarily > tainted (as was the case in the bug we fixed), that's something we > can fix. > > I'm copying Peter Thoeny, the TWiki author. Peter, would you be willing > to work with us to try and find the reason for these taint problems? The > full bug log so far can be found in https://bugs.debian.org/810799 > -- > Niko Tyni nt...@debian.org -- > Peter Thoeny - Peter09[at]Thoeny.org > http://bit.ly/MrTWiki - consulting on enterprise collaboration > http://TWiki.org - is your team already TWiki enabled? > http://qualityHDR.com - Quality HDR Photography > Knowledge cannot be managed, it can be discovered and shared > This e-mail is: (_) private (_) ask first (x) public
