Re: PATCH: allows URI::URL::ftp to pass taint check

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Maurice Aubrey: "Re: follow-up re handling redirects with cookies and other stuff"
• Previous message: Tony FRADIN: "Installation problems"
• Next in thread: Charles C. Fu: "follow-up re handling redirects with cookies and other stuff"
• Reply: Charles C. Fu: "follow-up re handling redirects with cookies and other stuff"

On 17 Jul 1998, Gisle Aas wrote:

> "Charles C. Fu" <ccwf@bacchus.com> writes:
> 
> > Taint check failed because whoami is executed with a potentially
> > insecure path.
> > 
> > Instead, I have replaced `whoami` with the recommended login name
> > determination incantation (documented in the getlogin section of the
> > perlfunc manpage).
> > 
> > Note that this also changes and improves behavior slightly.  The new
> > code tries to get the login name from /etc/utmp and falls back to the
> > real uid.  The old `whoami` code indirectly got the name from the
> > euid.

Maybe I'm just unlucky, but I've found that the /etc/utmp file can
give wrong results, so that the username is wrong, and it stays wrong
for the life of the process.  I've wasted days tracking down "errors"
in failed scripts, when the cause was a bad /etc/utmp that resulted in
some pretty weird usernames.

This problem is not limited to perl -- the C function misbehaves, too,
and I've seen it on more than 1 UNIX OS.  I would urge all coders to
_never_ use getlogin.

Conceptually, I think that the uid is the right way to get the
username.

Bill

> 
> OK, it's in.  Thanks!
> 
> Regards,
> Gisle
> 

• Next message: Maurice Aubrey: "Re: follow-up re handling redirects with cookies and other stuff"
• Previous message: Tony FRADIN: "Installation problems"
• Next in thread: Charles C. Fu: "follow-up re handling redirects with cookies and other stuff"
• Reply: Charles C. Fu: "follow-up re handling redirects with cookies and other stuff"