Web lists-archives.com

Re: [Samba] selftest: Perl error "Insecure $ENV{ENV} while running setgid at /home/user/src/samba-git/samba/source3/script/tests/printing/modprinter.pl line 138."




The same error occurs at:
source3/script/tests/fake_snap.pl(25)
which is fixed in the same way.

On 4/19/19 4:46 PM, Manfred wrote:
In my environment the selftest for samba3.rpc.spoolss.printer was failing at source3/script/tests/printing/modprinter.pl(138)

with the Perl error in subject:
Insecure $ENV{ENV} while running setgid at /home/user/src/samba-git/samba/source3/script/tests/printing/modprinter.pl line 138

code is:
==============================
delete @ENV{'BASH_ENV'};

$ENV{'PATH'} = '/bin:/usr/bin'; # untaint PATH
system("cp", "$tmp", "$smb_conf_file"); <== FAILING HERE
unlink $tmp;
==============================

the solution is, in addition to untainting $PATH:
==============================
# the following is according to:
# https://perldoc.perl.org/perlsec.html#Cleaning-Up-Your-Path
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; # Make %ENV safer
# delete @ENV{'BASH_ENV'};

$ENV{'PATH'} = '/bin:/usr/bin'; # untaint PATH
system("cp", "$tmp", "$smb_conf_file"); <== FAILING HERE
unlink $tmp;
==============================

Although this appears to happen on my environment, and not in the build farm, according to Perl doc would it look like a candidate for consideration?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba