This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
setuid dbupdate
- Previous message (by thread): setuid dbupdate
- Next message (by thread): setuid dbupdate
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
davidk at isi.edu
davidk at isi.edu
Fri Dec 6 19:08:22 CET 1996
Hi Gabor,
> Gabor Kiss writes :
>
> "Insecure dependency in open while running with -T switch at /usr/local/whois/lib/addkey.pl line 52."
>
> 52: if (open(OVERFLOWADD, ">>".$db[1].$OVERFLOWEXTENSION.$value)) {
>
> I tried at least six different tricks to avoid this message. No success.
> (Hardcoded direct setuid C wrapper is not included in the six.)
>
> Any suggestion?
$filename=~
Could you try this:
in dbopen change:
sub dbname {
local(*entry)=@_;
local($name)=$DBFILE{$entry{"so"}};
$name.=".".&entype(*entry) if ($SPLIT{$entry{"so"}});
print STDERR "dbname - name: $name\n" if ($opt_V);
return $name;
}
to:
sub dbname {
local(*entry)=@_;
local($name);
#
# untaint db file name
$DBFILE{$entry{"so"}}=~ /(.*)/;
$name=$1;
$name.=".".&entype(*entry) if ($SPLIT{$entry{"so"}});
print STDERR "dbname - name: $name\n" if ($opt_V);
return $name;
}
I have not tested this code. Please let me know if it works. No need to
CC the whole db-wg mailing list since it is not really a design issue ...
Note that I also found a couple of other (small) problems with perl5. As
the documentation says: It looks like perl5 is working now but we don't
give any guarantees and are interested in problems you might find. I will
collect this stuff for one big patch file (including RPSL extensions) for
Ambrose.
David K.
---
- Previous message (by thread): setuid dbupdate
- Next message (by thread): setuid dbupdate
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]