PATCH: allows URI::URL::ftp to pass taint check

Charles C. Fu (ccwf@bacchus.com)
Wed, 15 Jul 1998 04:52:36 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Charles C. Fu: "Re: Patch to LWP::Protocol::ftp to return last modified time"
Previous message: Gisle Aas: "Re: Bug report for libwww-perl-5.33 on Solaris"

Taint check failed because whoami is executed with a potentially
insecure path.

Instead, I have replaced `whoami` with the recommended login name
determination incantation (documented in the getlogin section of the
perlfunc manpage).

Note that this also changes and improves behavior slightly.  The new
code tries to get the login name from /etc/utmp and falls back to the
real uid.  The old `whoami` code indirectly got the name from the
euid.

-ccwf

======================================================================
--- orig/URI/URL/ftp.pm     Tue Aug  5 06:59:26 1997
+++ /usr/lib/perl5/URI/URL/ftp.pm       Wed Jul 15 04:38:02 1998
@@ -45,7 +45,9 @@
                $whoami = $ENV{USER} || $ENV{LOGNAME} || $ENV{USERNAME};
                unless ($whoami) {
                    if ($^O eq 'MSWin32') { $whoami = Win32::LoginName() }
-                   else                  { chomp($whoami = `whoami`) }
+                   else                  {
+                       $whoami = getlogin || getpwuid($<) || 'unknown';
+                   }
                }
            }
            $old = "$whoami\@$fqdn";

Next message: Charles C. Fu: "Re: Patch to LWP::Protocol::ftp to return last modified time"
Previous message: Gisle Aas: "Re: Bug report for libwww-perl-5.33 on Solaris"