compatibility issue with Archive::Zip::Member v1.30?

Edward Prendergast edward.prendergast at netring.co.uk
Wed Oct 6 11:34:33 IST 2010 

  I tried modifying Member.pm as follows in a test environment for 
debugging:

         $name =~ /^(.*)$/;
         chmod ($self->unixFileAttributes(), $1)
             or return _error("Can't chmod() ${1}: $!");

But I'm still seeing taint errors:
Insecure dependency in chmod while running with -T switch at 
/opt/perl5/lib/site_perl/5.12.2/Archive/Zip/Member.pm line 491.

I guess this means $self->unixFileAttributes() is returning something 
tainted, rather than $name being the tainted variable?

-Edward


On 06/10/2010 10:47, Edward Prendergast wrote:
>  Hi,
>
> I'm seeing MailScanner 4.81.4 return "MailScanner: Message attempted 
> to kill MailScanner" every time it tries to process an .xlsx file 
> (Microsoft Excel 2010's format). IIRC the format is a zip container 
> with the actual Excel data inside it.
>
> When I run MailScanner in debug mode and send one of these files 
> through I get the error message:
>
> Insecure dependency in chmod while running with -T switch at 
> /opt/perl5/lib/site_perl/5.12.2/Archive/Zip/Member.pm line 490.
>
> That line in Member.pm (v1.30) says:
>
> chmod ($self->unixFileAttributes(), $name)
>
> My guess is that $name is being passed down, hasn't been checked 
> anywhere and so is causing a taint issue.
>
> Should I just do a local rebuild of this module that does $name =~ 
> /.*/ to fix this issue for now and then submit it as a patch back to 
> the vendor? Just modifying the code like this doesn't seem like a 
> great long term solution though as it could be a security risk?
>
> Thanks,
> Edward
>
> ************
> The information in this email is confidential and may be legally 
> privileged.
> It is intended solely for the addressee. Access to this email by 
> anyone else
> is unauthorised. If you are not the intended recipient, any action 
> taken or
> omitted to be taken in reliance on it, any form of reproduction,
> dissemination, copying, disclosure, modification, distribution and/or
> publication of this E-mail message is strictly prohibited and may be
> unlawful. If you have received this E-mail message in error, please 
> notify
> us immediately. Please also destroy and delete the message from your
> computer.
> ************
>


************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorised. If you are not the intended recipient, any action taken or
omitted to be taken in reliance on it, any form of reproduction,
dissemination, copying, disclosure, modification, distribution and/or
publication of this E-mail message is strictly prohibited and may be
unlawful. If you have received this E-mail message in error, please notify
us immediately. Please also destroy and delete the message from your
computer.
************

More information about the MailScanner mailing list