compatibility issue with Archive::Zip::Member v1.30?

Edward Prendergast edward.prendergast at netring.co.uk
Wed Oct 6 10:47:04 IST 2010


  Hi,

I'm seeing MailScanner 4.81.4 return "MailScanner: Message attempted to 
kill MailScanner" every time it tries to process an .xlsx file 
(Microsoft Excel 2010's format). IIRC the format is a zip container with 
the actual Excel data inside it.

When I run MailScanner in debug mode and send one of these files through 
I get the error message:

Insecure dependency in chmod while running with -T switch at 
/opt/perl5/lib/site_perl/5.12.2/Archive/Zip/Member.pm line 490.

That line in Member.pm (v1.30) says:

chmod ($self->unixFileAttributes(), $name)

My guess is that $name is being passed down, hasn't been checked 
anywhere and so is causing a taint issue.

Should I just do a local rebuild of this module that does $name =~ /.*/ 
to fix this issue for now and then submit it as a patch back to the 
vendor? Just modifying the code like this doesn't seem like a great long 
term solution though as it could be a security risk?

Thanks,
Edward

************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorised. If you are not the intended recipient, any action taken or
omitted to be taken in reliance on it, any form of reproduction,
dissemination, copying, disclosure, modification, distribution and/or
publication of this E-mail message is strictly prohibited and may be
unlawful. If you have received this E-mail message in error, please notify
us immediately. Please also destroy and delete the message from your
computer.
************



More information about the MailScanner mailing list