Re: Bug report: ModPerl 2.0.2 make test "Insecure directory under -T"

Fri, 23 Dec 2005 11:53:23 -0800 

Stas Bekman wrote:

Kent, Mr. John (Contractor) wrote:


Hello Stas,

No, my path does not contain . or .. anywhere.
Here is what I get:

[EMAIL PROTECTED] ~]$ perl -le 'print $ENV{PATH}'
/users/webuser/perl/bin:/users/webuser/apache-ant/bin:users/webuser/netscape:/users/webuser/mysql/bin:/users/webuser/jdev/bin:/users/webuser/tomcat/bin:/users/webuser/jdk/bin:/users/webuser/ImageMagick/bin:/users/webuser/delegates/bin:/users/webuser/delegates/freestyle2/bin:/users/webuser/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/users/webuser/bin 

HOWEVER, looking at how complicated the above was I simplified my PATH to
/users/webuser/perl/bin:/users/webuser/ImageMagick/bin:/users/webuser/delegates/bin:/users/webuser/delegates/freestyle2/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/users/webuser/bin 

and the tests worked without problem.
Adding back directories revealed the problem was with :users/webuser/netscape 
which did not exist.
Ah, good catch! We were taking care of removing . and .., but weren't aware that a relative path without . or .. is a problem too: 

% perl -Tle '$ENV{PATH} = "foo/bar"; system("date")'
Insecure directory in $ENV{PATH} while running with -T switch at -e line 1.

I'll patch Apache-Test to handle that case as well.


John, can you please test with your original PATH after applying this patch?

Index: lib/Apache/TestConfig.pm
===================================================================
--- lib/Apache/TestConfig.pm    (revision 358857)
+++ lib/Apache/TestConfig.pm    (working copy)
@@ -1751,7 +1751,7 @@
     # win32 uses ';' for a path separator, assume others use ':'
     my $sep = WIN32 ? ';' : ':';
     # -T disallows relative and empty directories in the PATH
-    return join $sep, grep !/^(\.|$)/, split /$sep/, $path;
+    return join $sep, grep !m#^(?:[^/]|$)#, split /$sep/, $path;
 }

 sub pop_dir {



--
_____________________________________________________________
Stas Bekman mailto:[EMAIL PROTECTED]  http://stason.org/
MailChannels: Assured Messaging(TM) http://mailchannels.com/
The "Practical mod_perl" book       http://modperlbook.org/
http://perl.apache.org/ http://perl.org/ http://logilune.com/

Reply via email to