You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Morton <mo...@dgrmm.net> on 2010/01/27 00:16:39 UTC
insecure dependency in sa-learn --import
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Trying to import a bayes db, I get:
#sa-learn --import
bayes: perform_upgrade: Insecure dependency in open while running with
- -T switch at /usr/share/perl/5.8/File/Copy.pm line 133.
perl 5.8.8
- --
David Morton <mo...@dgrmm.net>
Morton Software & Design http://www.dgrmm.net - Ruby on Rails
PHP Applications
Maia Mailguard http://www.maiamailguard.com - Spam management
for mail servers
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFLX3fXUy30ODPkzl0RAnJWAKCor17pzSFt4JZ//tmy+j8oSdHVWgCZAeuU
nUUtYRYW3b8rfGrq3y3uBE0=
=mnie
-----END PGP SIGNATURE-----
Re: insecure dependency in sa-learn --import
Posted by David Morton <mo...@dgrmm.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Martinec wrote:
>> perl 5.8.8
>
> --- lib/Mail/SpamAssassin/BayesStore/DBM.pm (revision 903517)
> +++ lib/Mail/SpamAssassin/BayesStore/DBM.pm (working copy)
> @@ -1438,6 +1438,9 @@
> # bayes directory
> my $main = $self->{bayes}->{main};
> my $path = $main->sed_path($main->{conf}->{bayes_path});
> +
> + # prevent dirname() from tainting the result, it assumes $1 is not tainted
> + local($1,$2,$3);
> my $dir = dirname($path);
>
> # make temporary copy since old dbm and new dbm may have same name
Thanks Mark, I can confirm that works for me.
- --
David Morton <mo...@dgrmm.net>
Morton Software & Design http://www.dgrmm.net - Ruby on Rails
PHP Applications
Maia Mailguard http://www.maiamailguard.com - Spam management
for mail servers
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFLX5nJUy30ODPkzl0RAqGkAKCxvhXf2/rYih9A3Tu+HUzIqLua3gCgk4YL
JhI6Axz97pfWEqkyVJfhk08=
=/9Uq
-----END PGP SIGNATURE-----
Re: insecure dependency in sa-learn --import
Posted by Mark Martinec <Ma...@ijs.si>.
David,
> Trying to import a bayes db, I get:
>
> #sa-learn --import
> bayes: perform_upgrade: Insecure dependency in open while running with
> -T switch at /usr/share/perl/5.8/File/Copy.pm line 133.
>
> perl 5.8.8
--- lib/Mail/SpamAssassin/BayesStore/DBM.pm (revision 903517)
+++ lib/Mail/SpamAssassin/BayesStore/DBM.pm (working copy)
@@ -1438,6 +1438,9 @@
# bayes directory
my $main = $self->{bayes}->{main};
my $path = $main->sed_path($main->{conf}->{bayes_path});
+
+ # prevent dirname() from tainting the result, it assumes $1 is not tainted
+ local($1,$2,$3);
my $dir = dirname($path);
# make temporary copy since old dbm and new dbm may have same name
Mark
Re: insecure dependency in sa-learn --import
Posted by Warren Togami <wt...@redhat.com>.
On 01/26/2010 06:16 PM, David Morton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Trying to import a bayes db, I get:
>
> #sa-learn --import
> bayes: perform_upgrade: Insecure dependency in open while running with
> - -T switch at /usr/share/perl/5.8/File/Copy.pm line 133.
>
> perl 5.8.8
What distribution?
Warren