You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2008/06/23 11:46:10 UTC

[Bug 5929] New: hostname can be "(none)", causing "cannot untaint" warnings

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5929

           Summary: hostname can be "(none)", causing "cannot untaint"
                    warnings
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: Libraries
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: jm@jmason.org


a recent CPAN-tester report says:

Subject: FAIL Mail-SpamAssassin-3.2.5 i586-linux-thread-multi 2.6.8.1
From: g.grigelionis@computer.org
Date: Sat, 21 Jun 2008 11:42:58 +0200
To: cpan-testers@perl.org
Cc: JMASON@cpan.org

This distribution has been tested as part of the cpan-testers
effort to test as many new uploads to CPAN as possible.  See
http://testers.cpan.org/

Output from '/usr/bin/make test':

/usr/bin/perl build/mkrules --exit_on_no_src --src rulesrc --out rules
--manifest MANIFEST --manifestskip MANIFEST.SKIP
no source directory found: exiting
/usr/bin/perl build/preprocessor  -Mvars -DVERSION="3.002005" -DPREFIX="/usr"
-DDEF_RULES_DIR="/usr/share/spamassassin"
-DLOCAL_RULES_DIR="/etc/mail/spamassassin"
-DLOCAL_STATE_DIR="/var/lib/spamassassin"
-DINSTALLSITELIB="/usr/lib/perl5/site_perl/5.8.5"
-DCONTACT_ADDRESS="g.grigelionis@gmail.com" -Msharpbang -Mconditional
-DPERL_BIN="/usr/bin/perl" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw
-osa-update
cp sa-update blib/script/sa-update
/usr/bin/perl "-MExtUtils::MY" -e "MY->fixin(shift)" blib/script/sa-update
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0,
'blib/lib', 'blib/arch')" t/*.t
t/basic_lint.t....................ok
t/basic_obj_api.t.................util: cannot untaint path:
"./log/user_state/auto-whitelist.lock.(none).12635"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12635"
ok
t/bayesdbm.t......................util: cannot untaint path:
"./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12638"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12640"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12642"
util: cannot untaint path: "./log/user_state/bayes.lock.(none).12636"
ok


etc. etc.   Similar warnings appear throughout the test log.

It appears that Mail::SA::Util::fq_hostname() is returning "(none)" as the
hostname, probably from Sys::Hostname in return, and this is being used in the
lock filename.

1. should "(" and ")" be ok in the untaint_path() function?  IMO no, they're
shell metachars, let's keep them illegal.

2. should fq_hostname() be fixed to handle this wierd output? IMO yes.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 5929] hostname can be "(none)", causing "cannot untaint" warnings

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5929

Justin Mason <jm...@jmason.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |jm@jmason.org
         Resolution|                            |FIXED

--- Comment #2 from Justin Mason <jm...@jmason.org> 2009-09-20 10:34:58 PDT ---
easy fix:

: 9...; svn commit -m "bug 5929: avoid taint warnings if hostname is returned
as '(none)'" lib/Mail/SpamAssassin/Util.pm 
Sending        lib/Mail/SpamAssassin/Util.pm
Transmitting file data .
Committed revision 817057.

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 5929] hostname can be "(none)", causing "cannot untaint" warnings

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5929





--- Comment #1 from Justin Mason <jm...@jmason.org>  2008-06-23 02:47:06 PST ---
Created an attachment (id=4341)
 --> (https://issues.apache.org/SpamAssassin/attachment.cgi?id=4341)
full CPAN-testers mail message


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.