You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2020/01/07 10:19:05 UTC

[Bug 7782] Insecure dependency in connect while running with -T switch at /usr/lib64/perl5/IO/Socket.pm line 114

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7782

Henrik Krohns <ap...@hege.li> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
                 CC|                            |apache@hege.li
             Status|NEW                         |RESOLVED

--- Comment #1 from Henrik Krohns <ap...@hege.li> ---
Perl taint check does not have AI to decide whether someone can actually abuse
a string (wouldn't that be nice?). It's job is to simply complain if input used
in system functions is not validated.

use Mail::SpamAssassin::Util qw(untaint_var);
...
$socket = untaint_var($socket);

Of course additionally one should check if the socket even exists, what's the
point of passing garbage around to third party code. That's the validating
part.

Not SA maintained module so closing as invalid.

-- 
You are receiving this mail because:
You are the assignee for the bug.