On Thu, 2006-03-16 at 13:13 -0800, Casey T. Deccio wrote: > However, AFAICT, the code in pg_maintenance looks like it is secure > enough for -T. In fact, it doesn't fail when I run it. Can you > run /usr/sbin/pg_maintenance from the shell without error? >
I spoke too soon. My apt-get upgrade for postgresql-common had not completed when I responded :) Mine has the same problem. Apparently @options is tainted (line 44) by the use of $v and $c and then used in exec (line 49). According to the postgresql-common changelog (Sun, 12 Mar 2006): * Enable taint checking in all programs and fix the resulting breakage. But, I'm still not sure why line 49 is a problem. According to http://www.perl.com/doc/manual/html/pod/perlsec.html : (Important exception: If you pass a list of arguments to either system or exec, the elements of that list are NOT checked for taintedness.) Also, from man perlfunc : If there is more than one argument in LIST, or if LIST is an array with more than one value, calls execvp(3) with the arguments in LIST. ? Casey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
