Bug 147465 - XML::XQL not taint-safe by default and warnings if $ENV{TERM} unset.
XML::XQL not taint-safe by default and warnings if $ENV{TERM} unset.
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: perl-libxml-enno (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Warren Togami
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-08 05:01 EST by Timothy Hinchcliffe
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-17 13:26:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Timothy Hinchcliffe 2005-02-08 05:01:48 EST
Description of problem:
Using the XML::XQL module will generate warnings unless the $TERM
environment variable is set even with "no warnings" and without -w
(TERM is unset when running in cron or as a cgi for example)
Also runs external binary using backticks during startup without
preparing %ENV

Version-Release number of selected component (if applicable):
1.02-31

How reproducible:
Every time.

Steps to Reproduce (warnings):
1. TERM= perl -MXML::XQL -e ''

Actual results (warnings):
No value for $TERM and no -T specified
No value for $TERM and no -T specified
No value for $TERM and no -T specified
No value for $TERM and no -T specified
No value for $TERM and no -T specified

Expected results (warnings):
(no output)

Steps to Reproduce (error):
1. perl -T -MXML::XQL -e ''

Actual results (error):
Insecure $ENV{PATH} while running with -T switch at
/usr/lib/perl5/vendor_perl/5.8.5/XML/XQL.pm line 521.
Compilation failed in require.
BEGIN failed--compilation aborted.

Expected results (error):
(no output)

Additional info:
Also effects fc1 and fc2.
Comment 1 Timothy Hinchcliffe 2005-02-08 05:17:36 EST
I suggest changing line 510 ($^O test of sub tput) of
/usr/lib/perl5/vendor_perl/5.8.5/XML/XQL.pm to test if $ENV{TERM} is
set and return undef if it is not set or is "" (which is what it would
do on a Windows or MacOS platform anyway).

Ie:
if ($^O =~ /Win|MacOS/)
becomes
if ($^O =~ /Win|MacOS/ and $ENV{TERM})
Comment 2 Timothy Hinchcliffe 2005-02-08 05:25:32 EST
That should of course read:
if ($^O =~ /Win|MacOS/ or not $ENV{TERM})
Comment 3 Ville Skyttä 2005-11-03 01:25:12 EST
FYI, I've fixed these issues in the upcoming FE5 perl-XML-XQL package (bug  
172332).  
Comment 4 Jason Vas Dias 2005-12-21 20:39:59 EST
Also fixed in upstream XML::XQL 0.68. Same fix now applied in 
perl-libxml-enno-1.0.2-33 in CVS (but then I found out this package is
now "deprecated" and I can't build it in FC5 ...)
Will try to fix in FC-4.
Comment 5 Ville Skyttä 2005-12-22 02:16:59 EST
perl-libxml-enno has been removed from FC5, and the needed bits have already
been split from it and packaged in Extras, see bug 128879.  See also
http://cvs.fedora.redhat.com/viewcvs/rpms/perl-XML-XQL/devel/perl-XML-XQL-tput-147465.patch?root=extras&rev=1.1&view=auto
for the taint fix applied in Extras.
Comment 6 Matthew Miller 2006-07-10 18:17:10 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!

Note You need to log in before you can comment on or make changes to this bug.