[rt-devel] I18N bug fixed
Jeroen Ruigrok/asmodai
asmodai at wxs.nl
Sat Mar 1 11:01:59 EST 2003
-On [20030228 22:35], Jesse Vincent (jesse at bestpractical.com) wrote:
>http://www.cgisecurity.com/articles/xss-faq.shtml is the faq you want to
>read. And change #253 (what will be 2.1.77) is the change in RT where I
>finished implementing the fix. your bug report about the encoding sub
>was the key to the solution. thanks.
You sure you didn't introduce a bug here Jesse?
I moved from 2.1.75 to 2.1.77 today and got this:
[Sat Mar 1 07:40:42 2003] [warn] FastCGI: server "/www/bugs.tendra.org/rt/bin/mason_handler.fcgi" restarted (pid 18736)
Insecure dependency in require while running setgid at /www/bugs.tendra.org/rt3/
lib/RT/I18N.pm line 81.
Compilation failed in require at /www/bugs.tendra.org/rt/bin/mason_handler.fcgi line 29.
[Sat Mar 1 07:40:44 2003] [warn] FastCGI: server "/www/bugs.tendra.org/rt/bin/mason_handler.fcgi" (pid 18736) terminated by calling exit with status '255'
This is with perl 5.8.0 on FreeBSD 4.8-STABLE.
The code in question is (diff between .75 and .77):
sub Init {
+ # Load language-specific functions
+ require $_ for glob(substr(__FILE__, 0, -3) . "/*.pm");
+
# Acquire all .po files and iterate them into lexicons
Removing this from I18N.pm allows me to continue, since it considers the
glob() to be tainted due to rt being setgid().
--
Jeroen Ruigrok van der Werven <asmodai(at)wxs.nl> / asmodai / a capoeirista
PGP fingerprint: 2D92 980E 45FE 2C28 9DB7 9D88 97E6 839B 2EAC 625B
http://www.tendra.org/ | http://www.in-nomine.org/~asmodai/diary/
I am the impossibility...
More information about the Rt-devel
mailing list