Author: jm
Date: Tue May 25 18:25:12 2004
New Revision: 20449
Modified:
incubator/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm
Log:
bug 3320: insecure setuid eval possibly worked around using a similar fix to bug 3325
Modified: incubator/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm
==============================================================================
--- incubator/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm (original)
+++ incubator/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm Tue May 25 18:25:12 2004
@@ -3168,7 +3168,14 @@
sub html_eval {
my ($self, undef, $test, $expr) = @_;
- return exists $self->{html}{$test} && eval "qq{\Q$self->{html}{$test}\E} $expr";
+
+ # workaround bug 3320: wierd perl bug where additional, very explicit
+ # untainting into a new var is required.
+ my $tainted = $self->{html}{$test};
+ return unless defined($tainted);
+ $tainted =~ /^(.*)$/; my $val = $1;
+
+ return eval "qq{\Q$val\E} $expr";
}
sub html_text {
Date: Tue May 25 18:25:12 2004
New Revision: 20449
Modified:
incubator/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm
Log:
bug 3320: insecure setuid eval possibly worked around using a similar fix to bug 3325
Modified: incubator/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm
==============================================================================
--- incubator/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm (original)
+++ incubator/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm Tue May 25 18:25:12 2004
@@ -3168,7 +3168,14 @@
sub html_eval {
my ($self, undef, $test, $expr) = @_;
- return exists $self->{html}{$test} && eval "qq{\Q$self->{html}{$test}\E} $expr";
+
+ # workaround bug 3320: wierd perl bug where additional, very explicit
+ # untainting into a new var is required.
+ my $tainted = $self->{html}{$test};
+ return unless defined($tainted);
+ $tainted =~ /^(.*)$/; my $val = $1;
+
+ return eval "qq{\Q$val\E} $expr";
}
sub html_text {