Bug 118575 - Params::Validate taint issue
Params::Validate taint issue
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: perl (Show other bugs)
2.1
All Linux
high Severity high
: ---
: ---
Assigned To: Jason Vas Dias
Fanny Augustin
http://smallville.devel.redhat.com/er...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-17 16:22 EST by Bret McMillan
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-21 15:38:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Test script that illustrates Params::Validate issue (222 bytes, text/plain)
2004-06-15 08:44 EDT, Greg DeKoenigsberg
no flags Details

  None (edit)
Description Bret McMillan 2004-03-17 16:22:32 EST
my $sid = $pxt->param('sid');

...

my %params = validate(@_, { sid => 1 });
Comment 1 Chip Turner 2004-05-17 12:15:24 EDT
added new version of perl-Params-Validate (0.74) which should address this
Comment 2 Greg DeKoenigsberg 2004-05-24 16:54:02 EDT
Bret, any way to replicate this reliably?  If so, update the bug. 
Otherwise, looks like this just goes away and new perl-Params-Validate
becomes part of the TODO.
Comment 3 Bret McMillan 2004-05-24 18:51:19 EDT
/network/systems/details/edit.pxt

seems to be having the most issues on prod.  Not really sure how
reliable that is for a test though.
Comment 4 Chip Turner 2004-05-27 10:19:14 EDT
fixed with new Params::Validate
Comment 5 Matt Jamison 2004-06-02 13:57:52 EDT
test plan?
Comment 6 Chip Turner 2004-06-02 15:47:16 EDT
there is no test plan; this is infrastructural.  any breakage would have shown up during 
normal site usage.  so basically any ISEs you see may be caused by this, just report as 
usual and engineers will handle it
Comment 7 Fanny Augustin 2004-06-08 10:03:59 EDT
No breakage was noticed.
Comment 8 Bret McMillan 2004-06-11 11:17:29 EDT
FAILS_QAing until we know just what's going on w/ IS's 3.2 + updated
Params::Validate pkg satellite so we don't loose track of any fix for
them.
Comment 9 Greg DeKoenigsberg 2004-06-15 08:42:49 EDT
From Chip's comment:

This script reproduces it when run like (script attached to bug):
echo 1 | perl -T test-taint.pl
                                                                     
          
Looks like a bug in validate_with.  If the param isn't there, and
you're in taint mode, and you're using the XS validator, you are
screwed hard.  Even happens in perl 5.8.3.  I'll report it to the
maintainer.
Comment 10 Greg DeKoenigsberg 2004-06-15 08:44:19 EDT
Created attachment 101145 [details]
Test script that illustrates Params::Validate issue
Comment 11 Greg DeKoenigsberg 2004-06-15 08:46:02 EDT
Deferring to rhn350.  We'll keep watching it until something pops out
of the Perl maintainer.

NOTE: in our case, it appears that the worst problem here is that it
masks real errors in RHN code with useless error messages.
Comment 12 Greg DeKoenigsberg 2004-07-12 09:45:27 EDT
Actually, it occurs to be that this should be aligned against Perl itself.
Comment 13 Jason Vas Dias 2006-04-21 15:38:07 EDT
Just closing out old bugs here.

We don't ship perl-Params-Validate (the Params::Validate module) in any current
RHEL or Fedora release - looks like this bug has become a non-issue.
If anyone disagrees, please re-open.

Note You need to log in before you can comment on or make changes to this bug.