Date: Fri, 29 Mar 2013 01:00:03 GMT From: Darren Pilgrim <ports.maintainer@evilphi.com> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/177416: mail/postgrey has surfaced a bug in perl's taint checking Message-ID: <201303290100.r2T1035P011201@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/177416; it has been noted by GNATS. From: Darren Pilgrim <ports.maintainer@evilphi.com> To: bug-followup@FreeBSD.org, paulbeard@gmail.com Cc: Subject: Re: ports/177416: mail/postgrey has surfaced a bug in perl's taint checking Date: Thu, 28 Mar 2013 17:52:47 -0700 I can't reproduce this. I have postgrey in production on RELENG_8_3 and RELENG_9_1 systems both i386 and amd64 and in all cases postgrey works without error. I've also tested all four combinations of inet/unix foreground/daemonized on those systems and postgrey functioned normally. The taint checker triggers on code in the base perl install itself, not in postgrey code. Paul and I had a fairly extensive email exchange before he filed this PR. I believe Paul's perl install is broken in some way. The only other documented instances of the error I could find occur in *very* old perl code. Perhaps there are stale files or some other undetected conflict among the over 600 perl modules he has installed. There is also this snippet from the email exchange which implies exactly this scenario: > Strangely, I deleted that file and rebuilt the port that owns it, but > I still get a modification date from 2009: > May 13 2009 /usr/local/lib/perl5/site_perl/5.14.2/mach/IO/Socket.pm > > what do you get for this? > pkg_which /usr/local/lib/perl5/5.14.2/mach/IO/Socket.pm > Now that I have deleted it, pkgdb thinks it belongs to perl itself. To me this screams broken install, broken/corrupt ports and/or a damaged package database. After close to two decades of using perl, it wouldn't surprise me at all if some module stomped on other base/module code and a slightly broken or improperly linted port missed the conflict. FWIW, on all of my systems, even EOL'd ones, pkg/pkgng tells me that file is owned by lang/perl5.14 and the timestamp is consistent with the last time the port was installed. Postgrey is a network-enabled daemon. Running with tainted-variable checking enabled is best practice. Postgrey itself has had taint-mode enabled since 2005. I'm not going to hang everyone's tails out in the wind by disabling it by default. I can't ethically support even a port option to disable it given the circumstances of the error report. If Paul wants to disable taint-checking on his system, he can, of course, remove the -T flag from the hashbang in the installed script.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303290100.r2T1035P011201>