Taint safety problem in Net::OpenID::Consumer 0.11
robla at robla.net
Tue Jun 28 23:25:35 PDT 2005
Unless I'm doing something very boneheaded (quite possible, my Perl
skills are quite rusty), it doesn't appear that Net::OpenID::Consumer
(v0.11) is taint safe.
I've attached my "hello world" consumer CGI app (sorry, not a server),
which, as configured, returns the following error:
"url_fetch_error: Error fetching URL: Insecure dependency in connect
while running with -T switch"
Removing "-Tw" from the script makes it run. I haven't dug deeply into
exactly where the problem is, but I'm guessing it's
Net::OpenID::Consumer->ua that's the tainted variable passed into
URI::Fetch in Consumer.pm.
The reason why I bring this up is that I'm taking a stab at adding
Bugzilla/OpenID consumer support, and I've made some reasonable
progress. BZ ships with taint checking turned on.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2189 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20050628/fa46d161/index.bin
More information about the yadis