From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from localhost (fantadrom.bsd.lv [local]) by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id 35e79e82 for ; Thu, 21 Mar 2019 11:40:58 -0500 (EST) Date: Thu, 21 Mar 2019 11:40:58 -0500 (EST) X-Mailinglist: mandoc-source Reply-To: source@mandoc.bsd.lv MIME-Version: 1.0 From: schwarze@mandoc.bsd.lv To: source@mandoc.bsd.lv Subject: cvsweb: For more than 15 years, running cvsweb.cgi hasn't been tested X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Message-ID: Log Message: ----------- For more than 15 years, running cvsweb.cgi hasn't been tested with Perl taint checks, and the following commit message from patch-cvsweb_cgi rev. 1.11 from the OpenBSD port indicates that there were already issues with Perl 5.8. Very likely, things only got worse during all those years. While re-auditing the whole program for taint safety would certainly make sense, i'm not going to do that for the legacy 2.0 codebase. So simply disable taint checks on this branch. Hopefully, in the not too distant future, we can get the 4.x trunk into shape, audit *that*, and then get server admins to upgrade to 4.x. Relevant part of the original commit message: date: 2003/08/16 23:18:41; author: naddy; * upstreamer maintainer suggests that we run without taint checks on perl 5.8 * [...] Tags: ---- FreeBSD-cvsweb-2_0-branch Modified Files: -------------- cvsweb: cvsweb.cgi Revision Data ------------- Index: cvsweb.cgi =================================================================== RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v retrieving revision 3.119.2.12 retrieving revision 3.119.2.13 diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.12 -r3.119.2.13 --- cvsweb.cgi +++ cvsweb.cgi @@ -1,4 +1,4 @@ -#!/usr/bin/perl -wT +#!/usr/bin/perl -w # # cvsweb - a CGI interface to CVS trees. # -- To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv