You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/07/07 15:01:33 UTC

[Bug 6148] sa-update fails: Insecure dependency in mkdir

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148





--- Comment #1 from Mark Martinec <Ma...@ijs.si>  2009-07-07 06:01:30 PST ---
(my yesterdays posting, just for documentation):

I've seen it last week, looks like an old Perl bug of a tainted $1
is rearing its head again. The following patch to File/Basename.pm
avoids the trouble:

--- Basename.pm~        2009-06-09 16:31:34.000000000 +0200
+++ Basename.pm 2009-06-27 15:49:49.000000000 +0200
@@ -332,4 +332,5 @@
     my $type = $Fileparse_fstype;

+    local $1;
     if ($type eq 'MacOS') {
         $_[0] =~ s/([^:]):\z/$1/s;

Here the $_[0] is NOT tainted, but $1 is, so the $_[0] gets tainted,
which leads to a failure in mkdir further on.

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.