You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by he...@apache.org on 2019/06/23 14:37:55 UTC

svn commit: r1861937 - in /spamassassin: branches/3.4/t/SATest.pm trunk/t/SATest.pm

Author: hege
Date: Sun Jun 23 14:37:54 2019
New Revision: 1861937

URL: http://svn.apache.org/viewvc?rev=1861937&view=rev
Log:
Some taint fixes

Modified:
    spamassassin/branches/3.4/t/SATest.pm
    spamassassin/trunk/t/SATest.pm

Modified: spamassassin/branches/3.4/t/SATest.pm
URL: http://svn.apache.org/viewvc/spamassassin/branches/3.4/t/SATest.pm?rev=1861937&r1=1861936&r2=1861937&view=diff
==============================================================================
--- spamassassin/branches/3.4/t/SATest.pm (original)
+++ spamassassin/branches/3.4/t/SATest.pm Sun Jun 23 14:37:54 2019
@@ -56,6 +56,11 @@ BEGIN {
     $sock->close or die "error closing inet6 socket: $!"  if $sock;
     $sock ? 1 : undef;
   };
+
+  # Clean PATH so taint doesn't complain
+  $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';
+  # Remove tainted envs, atleast ENV used in FreeBSD
+  delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
 }
 
 # Set up for testing. Exports (as global vars):
@@ -245,7 +250,6 @@ sub probably_unused_spamd_port {
 
   my $port;
   my @nstat;
-  local $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';  # must not be tainted
   if (!open(NSTAT, "netstat -a -n 2>&1 |")) {
     # not too bad if failing on some architecture, with some luck should be alright
   } else {
@@ -1118,7 +1122,6 @@ sub untaint_var {
 
 # untainted system()
 sub untaint_system {
-    local $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';  # must not be tainted
     my @args;
     push @args, untaint_var($_) foreach (@_);
     return system(@args);
@@ -1126,7 +1129,6 @@ sub untaint_system {
 
 # untainted version of `shell command`
 sub untaint_cmd {
-    local $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';  # must not be tainted
     if (open(CMD, untaint_var($_[0])."|")) {
       my $stdout = do { local($/); <CMD> };
       close CMD;

Modified: spamassassin/trunk/t/SATest.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/t/SATest.pm?rev=1861937&r1=1861936&r2=1861937&view=diff
==============================================================================
--- spamassassin/trunk/t/SATest.pm (original)
+++ spamassassin/trunk/t/SATest.pm Sun Jun 23 14:37:54 2019
@@ -56,6 +56,11 @@ BEGIN {
     $sock->close or die "error closing inet6 socket: $!"  if $sock;
     $sock ? 1 : undef;
   };
+
+  # Clean PATH so taint doesn't complain
+  $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';
+  # Remove tainted envs, atleast ENV used in FreeBSD
+  delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
 }
 
 # Set up for testing. Exports (as global vars):
@@ -245,7 +250,6 @@ sub probably_unused_spamd_port {
 
   my $port;
   my @nstat;
-  local $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';  # must not be tainted
   if (!open(NSTAT, "netstat -a -n 2>&1 |")) {
     # not too bad if failing on some architecture, with some luck should be alright
   } else {
@@ -1118,7 +1122,6 @@ sub untaint_var {
 
 # untainted system()
 sub untaint_system {
-    local $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';  # must not be tainted
     my @args;
     push @args, untaint_var($_) foreach (@_);
     return system(@args);
@@ -1126,7 +1129,6 @@ sub untaint_system {
 
 # untainted version of `shell command`
 sub untaint_cmd {
-    local $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';  # must not be tainted
     if (open(CMD, untaint_var($_[0])."|")) {
       my $stdout = do { local($/); <CMD> };
       close CMD;