Opened 11 years ago

Closed 8 years ago

Last modified 8 years ago

#4954 closed defect (fixed)

perl runs in tainted mode and excludes . from path

Reported by: Torg Owned by: beirdo
Priority: minor Milestone: 0.24
Component: Plugin - MythWeather Version: Master Head
Severity: high Keywords: mythweather
Cc: Ticket locked: no

Description

because mythfrontend runs setuid for real time threads perl runs in tainted mode. This truncates . from the @INC environment making most of mythweathers perl scripts fail.

Adding absolute paths to the scripts works, but is an ugly hack to allow them to run.

--- animaps.pl.orig     2008-03-14 12:39:01.000000000 -0500
+++ animaps.pl  2008-03-14 12:37:17.000000000 -0500
@@ -1,4 +1,5 @@
 #!/usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';
 use strict;
 use Getopt::Std;
 use LWP::Simple;
--- maps.pl.orig        2008-03-14 12:39:19.000000000 -0500
+++ maps.pl     2008-03-14 12:30:21.000000000 -0500
@@ -1,4 +1,5 @@
 #!/usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';
 use strict;
 use Getopt::Std;
 use LWP::Simple;
--- ndfd18.pl.orig      2008-03-14 12:38:48.000000000 -0500
+++ ndfd18.pl   2008-03-14 12:45:35.000000000 -0500
@@ -1,4 +1,5 @@
 #!/usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';
 use strict;
 use NDFDParser;
 use NWSLocation;
@@ -147,7 +148,7 @@
     $icon = $result->{$time}->{'conditions-icon_forecast-NWS'};
     $icon =~ s/.*\/([a-z0-9_]+[.][j][p][g])/$1/;
     local *FH;
-    open(FH, "icons") or die "Cannot open icons";
+    open(FH, "/usr/local/share/mythtv/mythweather/scripts/us_nws/icons") or die "Cannot open icons";
     while(my $line = <FH>) {
         if ($line =~ /${icon}::/) {
             $line =~ s/.*:://;
--- ndfd.pl.orig        2008-03-14 12:38:39.000000000 -0500
+++ ndfd.pl     2008-03-14 12:50:20.000000000 -0500
@@ -1,4 +1,5 @@
 #! /usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';

 #TODO the icons aren't very meaningful, the server gives them to us for 3 or 6
 # hr intervals, but since we're parsing for 12 hour, that seem a little useless
@@ -188,7 +189,7 @@
             $icon = $result->{$iconkey}->{'conditions-icon_forecast-NWS'};
             $icon =~ s/.*\/([a-z0-9_]+[.][j][p][g])/$1/;
             local *FH;
-            open(FH, "icons") or die "Cannot open icons";
+            open(FH, "/usr/local/share/mythtv/mythweather/scripts/us_nws/icons") or die "Cannot open icons";
             while(my $line = <FH>) {
                 if ($line =~ /${icon}::/) {
                     $line =~ s/.*:://;
--- nws-alert.pl.orig   2008-03-14 12:38:39.000000000 -0500
+++ nws-alert.pl        2008-03-14 12:42:11.000000000 -0500
@@ -1,4 +1,5 @@
 #!/usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';
 package NWSAlert;
 use strict;
 use XML::Parser;
--- nwsxml.pl.orig      2008-03-14 12:38:39.000000000 -0500
+++ nwsxml.pl   2008-03-14 12:43:56.000000000 -0500
@@ -1,4 +1,5 @@
 #! /usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';

 use strict;
 use XML::Simple;
@@ -116,7 +117,7 @@
         $key = 'weather_icon';
         $xml->{$key} = 'unknown.png';
         local *FH;
-        open(FH, "icons") or die "Cannot open icons";
+        open(FH, "/usr/local/share/mythtv/mythweather/scripts/us_nws/icons") or die "Cannot open icons";
         while(my $line = <FH>) {
             chomp $line;
             if ($line =~ /$xml->{'icon_url_name'}::/) {

Attachments (1)

scripts.diff (2.9 KB) - added by Torg 11 years ago.
Patch for us_nws scripts

Download all attachments as: .zip

Change History (9)

Changed 11 years ago by Torg

Attachment: scripts.diff added

Patch for us_nws scripts

comment:1 Changed 11 years ago by james.sumners@…

I'v found that adding -I./ to the perl execution line works okay. e.g. #! /usr/bin/perl -w => #! /usr/bin/perl -w -I./.

comment:2 Changed 10 years ago by stuartm

Owner: changed from stuartm to xris
Status: newassigned

comment:3 Changed 9 years ago by stuartm

Milestone: 0.21.10.22

comment:4 Changed 9 years ago by stuartm

Component: mythweatherPlugin - MythWeather
Milestone: 0.22unknown

comment:5 Changed 9 years ago by stuartm

Version: 0.21-fixesTrunk Head

comment:6 Changed 8 years ago by beirdo

Owner: changed from xris to beirdo

comment:7 Changed 8 years ago by beirdo

Resolution: fixed
Status: assignedclosed

(In [25155]) Explicitly added path from the currently running script and default paths into all the scraper scripts that use local libraries. This will get rid of the problem of perl running in tainted mode due to setuid, as now the current directory doesn't need to be implicitly in the path.

Closes #4954

comment:8 Changed 8 years ago by stuartm

Milestone: unknown0.24
Note: See TracTickets for help on using tickets.