From: Joey Hess Date: Sat, 5 Jan 2008 07:07:29 +0000 (-0500) Subject: response, improve NOTAINT docs X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/commitdiff_plain/9589b7a83c943891dfbaaea38781b2cb4366cc4f response, improve NOTAINT docs --- diff --git a/README b/README index b7b99c0c0..ba632a300 100644 --- a/README +++ b/README @@ -4,7 +4,10 @@ documentation wiki and a man page, and "make install" will install ikiwiki. A few special variables you can set while using the Makefile: PROFILE=1 turns on profiling for the build of the doc wiki. Uses Devel::Profile -NOTAINT=1 turns off the taint flag in the ikiwiki program + +NOTAINT=1 turns off the taint flag in the ikiwiki program. (Recommended +unless your perl is less buggy than mine -- see +http://bugs.debian.org/411786) All other documentation is in the ikiwiki documentation wiki, which is also available online at diff --git a/doc/bugs/taint_issue_with_regular_expressions.mdwn b/doc/bugs/taint_issue_with_regular_expressions.mdwn index 174b4f1c5..e05a59879 100644 --- a/doc/bugs/taint_issue_with_regular_expressions.mdwn +++ b/doc/bugs/taint_issue_with_regular_expressions.mdwn @@ -7,3 +7,16 @@ It works if I replace it with: my ($f)=/(^[-[:alnum:]_.:\/+]+$)/; # untaint which is exactly the same regular expression drawn out as a constant. It appears that %config gets some tainted data and is itself being marked entirely tainted, which may prevent using regular expressions contained in it for untainting other data. I'm using Perl 5.8.8. + +> How could `%config` possible get tainted? That would be a major security +> hole. It seems more likely that perl containes to have taint flag bugs +> even in 5.8. See also: [[prune_causing_taint_mode_failures]], +> [[Insecure_dependency_in_mkdir]], +> [[Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn]], +> and especially [[debbug 411786]] +> +> The last of those was the last straw for me, and I disabled taint +> checking in the debian package. You can do the same by building ikiwiki +> with NOTAINT=1. :-( --[[Joey]] + +[[tag done]]