summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@kitenet.net>2008-01-06 18:25:43 -0500
committerJoey Hess <joey@kitenet.net>2008-01-06 18:25:43 -0500
commit27261da09be059c6400d71138f060eb94faa407e (patch)
tree129e0b73dab8a03e56c3f759a2aa40f91b74f315
parente92c51f5e546a3286dbe96389fafa7aa21c88516 (diff)
web commit by adb
-rw-r--r--doc/bugs/taint_issue_with_regular_expressions.mdwn11
1 files changed, 10 insertions, 1 deletions
diff --git a/doc/bugs/taint_issue_with_regular_expressions.mdwn b/doc/bugs/taint_issue_with_regular_expressions.mdwn
index e05a59879..5ba9e19f6 100644
--- a/doc/bugs/taint_issue_with_regular_expressions.mdwn
+++ b/doc/bugs/taint_issue_with_regular_expressions.mdwn
@@ -19,4 +19,13 @@ which is exactly the same regular expression drawn out as a constant. It appear
> checking in the debian package. You can do the same by building ikiwiki
> with NOTAINT=1. :-( --[[Joey]]
-[[tag done]]
+----------------
+Continuing to dig into the problem I reported, it may not be taint after all. Running strings on the ikiwiki.cgi wrapper, I see stuff like:
+
+ 'wiki_file_regexp' => bless( do{\(my $o = undef)}, 'Regexp' )
+
+without any payload of the actual regexp, and that would also certainly also have the observed effect of the regexps being completely broken while running in CGI mode. This seems to implicate Data::Dumper (2.101). After upgrading Data::Dumper to 2.121 I get:
+
+ 'wiki_file_regexp' => qr/(?-xism:(^[-[:alnum:]_.:\/+]+$))/
+
+This would call for at most an installation prerequisite of Data::Dumper >= 1.121. A look at the module's changelog shows that no intervening versions were actually released, so 1.121 would be the minimal good one.