Bug 118575 - Params::Validate taint issue
Summary: Params::Validate taint issue
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: perl   
(Show other bugs)
Version: 2.1
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact: Fanny Augustin
URL: http://smallville.devel.redhat.com/er...
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-03-17 21:22 UTC by Bret McMillan
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-21 19:38:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Test script that illustrates Params::Validate issue (222 bytes, text/plain)
2004-06-15 12:44 UTC, Greg DeKoenigsberg 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Description Bret McMillan 2004-03-17 21:22:32 UTC 
my $sid = $pxt->param('sid');

...

my %params = validate(@_, { sid => 1 });
Comment 1 Chip Turner 2004-05-17 16:15:24 UTC 
added new version of perl-Params-Validate (0.74) which should address this
Comment 2 Greg DeKoenigsberg 2004-05-24 20:54:02 UTC 
Bret, any way to replicate this reliably?  If so, update the bug. 
Otherwise, looks like this just goes away and new perl-Params-Validate
becomes part of the TODO.
Comment 3 Bret McMillan 2004-05-24 22:51:19 UTC 
/network/systems/details/edit.pxt

seems to be having the most issues on prod.  Not really sure how
reliable that is for a test though.
Comment 4 Chip Turner 2004-05-27 14:19:14 UTC 
fixed with new Params::Validate
Comment 5 Matt Jamison 2004-06-02 17:57:52 UTC 
test plan?
Comment 6 Chip Turner 2004-06-02 19:47:16 UTC 
there is no test plan; this is infrastructural.  any breakage would have shown up during 
normal site usage.  so basically any ISEs you see may be caused by this, just report as 
usual and engineers will handle it
Comment 7 Fanny Augustin 2004-06-08 14:03:59 UTC 
No breakage was noticed.
Comment 8 Bret McMillan 2004-06-11 15:17:29 UTC 
FAILS_QAing until we know just what's going on w/ IS's 3.2 + updated
Params::Validate pkg satellite so we don't loose track of any fix for
them.
Comment 9 Greg DeKoenigsberg 2004-06-15 12:42:49 UTC 
From Chip's comment:

This script reproduces it when run like (script attached to bug):
echo 1 | perl -T test-taint.pl
                                                                     
          
Looks like a bug in validate_with.  If the param isn't there, and
you're in taint mode, and you're using the XS validator, you are
screwed hard.  Even happens in perl 5.8.3.  I'll report it to the
maintainer.
Comment 10 Greg DeKoenigsberg 2004-06-15 12:44:19 UTC 
Created attachment 101145 [details]
Test script that illustrates Params::Validate issue
Comment 11 Greg DeKoenigsberg 2004-06-15 12:46:02 UTC 
Deferring to rhn350.  We'll keep watching it until something pops out
of the Perl maintainer.

NOTE: in our case, it appears that the worst problem here is that it
masks real errors in RHN code with useless error messages.
Comment 12 Greg DeKoenigsberg 2004-07-12 13:45:27 UTC 
Actually, it occurs to be that this should be aligned against Perl itself.
Comment 13 Jason Vas Dias 2006-04-21 19:38:07 UTC 
Just closing out old bugs here.

We don't ship perl-Params-Validate (the Params::Validate module) in any current
RHEL or Fedora release - looks like this bug has become a non-issue.
If anyone disagrees, please re-open.
Note You need to log in before you can comment on or make changes to this bug.