Taint problem calling Archive::Zip?
Jeff Mills
Jeff.Mills at sydneytech.com.au
Tue Nov 16 00:44:13 GMT 2010
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of John Wilcock
> Sent: Monday, 15 November 2010 11:23 PM
> To: MailScanner discussion
> Subject: Taint problem calling Archive::Zip?
>
> Since upgrading from Perl 5.8.8 to 5.12.2 on my gentoo box, I've had
> several instances of messages "attempting to kill" MailScanner, with
> .docx (or other similar zip-container format) files as attachments.
>
> Running in debug mode gives the following error:
>
> Insecure dependency in chmod while running with -T switch at
> /usr/lib64/perl5/vendor_perl/5.12.2/Archive/Zip/Member.pm line 490
>
> This is with MailScanner 4.81.4, Archive::Zip 1.30. I haven't yet tried
> with MS 4.82 beta or the developer release of Archive::Zip 1.31_01, but
> don't see anything in the changelogs that suggests they would help.
>
> Any ideas? (other than setting Maximum Archive Depth = 0, which does
> seem to be an effective if less-than-satisfactory workaround)
>
> John.
>
I have the same issue at one site. I ended up setting the archive depth to zero as a workaround, but I did stumble apon a patch to the perl module somewhere that I didn't have time to look at.
Jeff
More information about the MailScanner
mailing list