Bug 118575 - Params::Validate taint issue
Summary: Params::Validate taint issue
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: perl
Version: 2.1
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact: Fanny Augustin
URL: http://smallville.devel.redhat.com/er...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-03-17 21:22 UTC by Bret McMillan
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-04-21 19:38:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Test script that illustrates Params::Validate issue (222 bytes, text/plain)
2004-06-15 12:44 UTC, Greg DeKoenigsberg
no flags Details

Description Bret McMillan 2004-03-17 21:22:32 UTC
my $sid = $pxt->param('sid');

...

my %params = validate(@_, { sid => 1 });

Comment 1 Chip Turner 2004-05-17 16:15:24 UTC
added new version of perl-Params-Validate (0.74) which should address this


Comment 2 Greg DeKoenigsberg 2004-05-24 20:54:02 UTC
Bret, any way to replicate this reliably?  If so, update the bug. 
Otherwise, looks like this just goes away and new perl-Params-Validate
becomes part of the TODO.

Comment 3 Bret McMillan 2004-05-24 22:51:19 UTC
/network/systems/details/edit.pxt

seems to be having the most issues on prod.  Not really sure how
reliable that is for a test though.

Comment 4 Chip Turner 2004-05-27 14:19:14 UTC
fixed with new Params::Validate

Comment 5 Matt Jamison 2004-06-02 17:57:52 UTC
test plan?

Comment 6 Chip Turner 2004-06-02 19:47:16 UTC
there is no test plan; this is infrastructural.  any breakage would have shown up during 
normal site usage.  so basically any ISEs you see may be caused by this, just report as 
usual and engineers will handle it

Comment 7 Fanny Augustin 2004-06-08 14:03:59 UTC
No breakage was noticed.

Comment 8 Bret McMillan 2004-06-11 15:17:29 UTC
FAILS_QAing until we know just what's going on w/ IS's 3.2 + updated
Params::Validate pkg satellite so we don't loose track of any fix for
them.

Comment 9 Greg DeKoenigsberg 2004-06-15 12:42:49 UTC
From Chip's comment:

This script reproduces it when run like (script attached to bug):
echo 1 | perl -T test-taint.pl
                                                                     
          
Looks like a bug in validate_with.  If the param isn't there, and
you're in taint mode, and you're using the XS validator, you are
screwed hard.  Even happens in perl 5.8.3.  I'll report it to the
maintainer.

Comment 10 Greg DeKoenigsberg 2004-06-15 12:44:19 UTC
Created attachment 101145 [details]
Test script that illustrates Params::Validate issue

Comment 11 Greg DeKoenigsberg 2004-06-15 12:46:02 UTC
Deferring to rhn350.  We'll keep watching it until something pops out
of the Perl maintainer.

NOTE: in our case, it appears that the worst problem here is that it
masks real errors in RHN code with useless error messages.

Comment 12 Greg DeKoenigsberg 2004-07-12 13:45:27 UTC
Actually, it occurs to be that this should be aligned against Perl itself.

Comment 13 Jason Vas Dias 2006-04-21 19:38:07 UTC
Just closing out old bugs here.

We don't ship perl-Params-Validate (the Params::Validate module) in any current
RHEL or Fedora release - looks like this bug has become a non-issue.
If anyone disagrees, please re-open.



Note You need to log in before you can comment on or make changes to this bug.