Re^5: Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542

s/hy/hv/g; # :)

Same failure.

Ah well, it was worth a try. (I had not appreciated that the sample fail was on Linux, I had imagined more esoteric systems.)

I've looked at more code, and am not seeing any obvious opportunities to get tainted results.

I could just about imagine getting taint interaction from rand() - at least, I know that some systems provide device sources of randomness, which would involve interacting with the filesystem. I'm not aware of any way to configure perl to use those directly with rand() though, and I don't see anything in perl source that would touch a filesystem or environment variables if the standard pp_rand() gets called. I can't rule out something replacing pp_rand in PL_ppaddr[] though.

All I can really suggest is to get more instrumentation by shipping a copy of (some version of) File::Temp::tempdir() (and/or a monkey-patched File::Temp::_gettemp()) with checks at various points that $path is touched.

I see that Scalar::Util provides tainted() at least as far back as the version shipped with perl-5.8, so that's probably a reasonable way to check.

The other option would be to contact BINGOS and ask if he could investigate, or give you access to one of the affected systems. And - long shot - it would also be interesting to check if there are any other modules that both use <c>tempdir() and test its behaviour under tainting that have also been tested by the same smokers.

Comment on Re^5: Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542 Select or Download Code

Replies are listed 'Best First'.
Re^6: Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542 by sidney (Acolyte) on Dec 11, 2022 at 21:05 UTC
hv :) I uploaded a renamed copy of rc3 as rc3u and verified that the same test runners that BINGOS is running that fail on rc4 fail on that too, and the failure did not happen on BINGOS' runners with the same platform and perl version when they ran rc3 last September. The details in the reports that passed in September and failed now show no difference in the perl compile options nor in the output from uname for the OS. It only happens on the the 5.14.x, 5.18.x, and 5.20.x runners and nobody else's runners with those perl versions. The 64-bit/32-bit architecture difference is a red herring: He doesn't have any 32-bit runners with that old perl versions anyway. The failures still happen with an rc4c-TRIAL I uploaded which has code ensuring that what is passed to tempdir is untainted and uses an absolute path so can't be a Cwd issue, and which shows the File::Temp version is 0.2311 and the File::Spec version is 3.75. At this point I think I will just ignore those errors unless someone encounters it who can give me access to their machine or a hint that lets me reproduce the problem. I have emailed BINGOS, but I don't think it is worth worrying about anymore. Worst case if someone encounters this in production I can suggest they upgrade their perl to something newer than 5.20.	[reply]

Replies are listed 'Best First'.

Re^6: Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542
by sidney (Acolyte) on Dec 11, 2022 at 21:05 UTC

I uploaded a renamed copy of rc3 as rc3u and verified that the same test runners that BINGOS is running that fail on rc4 fail on that too, and the failure did not happen on BINGOS' runners with the same platform and perl version when they ran rc3 last September. The details in the reports that passed in September and failed now show no difference in the perl compile options nor in the output from uname for the OS. It only happens on the the 5.14.x, 5.18.x, and 5.20.x runners and nobody else's runners with those perl versions. The 64-bit/32-bit architecture difference is a red herring: He doesn't have any 32-bit runners with that old perl versions anyway.

The failures still happen with an rc4c-TRIAL I uploaded which has code ensuring that what is passed to tempdir is untainted and uses an absolute path so can't be a Cwd issue, and which shows the File::Temp version is 0.2311 and the File::Spec version is 3.75.

At this point I think I will just ignore those errors unless someone encounters it who can give me access to their machine or a hint that lets me reproduce the problem. I have emailed BINGOS, but I don't think it is worth worrying about anymore. Worst case if someone encounters this in production I can suggest they upgrade their perl to something newer than 5.20.

[reply]