Modify
Warning Please read the Ticket HowTo before creating or commenting on a ticket. Failure to do so may cause your ticket to be rejected or result in a slower response.

Opened 6 years ago

Closed 4 years ago

Last modified 4 years ago

#4954 closed defect (fixed)

perl runs in tainted mode and excludes . from path

Reported by: Torg Owned by: beirdo
Priority: minor Milestone: 0.24
Component: Plugin - MythWeather Version: Master Head
Severity: high Keywords: mythweather
Cc: Ticket locked: no

Description

because mythfrontend runs setuid for real time threads perl runs in tainted mode. This truncates . from the @INC environment making most of mythweathers perl scripts fail.

Adding absolute paths to the scripts works, but is an ugly hack to allow them to run.

--- animaps.pl.orig     2008-03-14 12:39:01.000000000 -0500
+++ animaps.pl  2008-03-14 12:37:17.000000000 -0500
@@ -1,4 +1,5 @@
 #!/usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';
 use strict;
 use Getopt::Std;
 use LWP::Simple;
--- maps.pl.orig        2008-03-14 12:39:19.000000000 -0500
+++ maps.pl     2008-03-14 12:30:21.000000000 -0500
@@ -1,4 +1,5 @@
 #!/usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';
 use strict;
 use Getopt::Std;
 use LWP::Simple;
--- ndfd18.pl.orig      2008-03-14 12:38:48.000000000 -0500
+++ ndfd18.pl   2008-03-14 12:45:35.000000000 -0500
@@ -1,4 +1,5 @@
 #!/usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';
 use strict;
 use NDFDParser;
 use NWSLocation;
@@ -147,7 +148,7 @@
     $icon = $result->{$time}->{'conditions-icon_forecast-NWS'};
     $icon =~ s/.*\/([a-z0-9_]+[.][j][p][g])/$1/;
     local *FH;
-    open(FH, "icons") or die "Cannot open icons";
+    open(FH, "/usr/local/share/mythtv/mythweather/scripts/us_nws/icons") or die "Cannot open icons";
     while(my $line = <FH>) {
         if ($line =~ /${icon}::/) {
             $line =~ s/.*:://;
--- ndfd.pl.orig        2008-03-14 12:38:39.000000000 -0500
+++ ndfd.pl     2008-03-14 12:50:20.000000000 -0500
@@ -1,4 +1,5 @@
 #! /usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';

 #TODO the icons aren't very meaningful, the server gives them to us for 3 or 6
 # hr intervals, but since we're parsing for 12 hour, that seem a little useless
@@ -188,7 +189,7 @@
             $icon = $result->{$iconkey}->{'conditions-icon_forecast-NWS'};
             $icon =~ s/.*\/([a-z0-9_]+[.][j][p][g])/$1/;
             local *FH;
-            open(FH, "icons") or die "Cannot open icons";
+            open(FH, "/usr/local/share/mythtv/mythweather/scripts/us_nws/icons") or die "Cannot open icons";
             while(my $line = <FH>) {
                 if ($line =~ /${icon}::/) {
                     $line =~ s/.*:://;
--- nws-alert.pl.orig   2008-03-14 12:38:39.000000000 -0500
+++ nws-alert.pl        2008-03-14 12:42:11.000000000 -0500
@@ -1,4 +1,5 @@
 #!/usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';
 package NWSAlert;
 use strict;
 use XML::Parser;
--- nwsxml.pl.orig      2008-03-14 12:38:39.000000000 -0500
+++ nwsxml.pl   2008-03-14 12:43:56.000000000 -0500
@@ -1,4 +1,5 @@
 #! /usr/bin/perl -w
+use lib '/usr/local/share/mythtv/mythweather/scripts/us_nws/';

 use strict;
 use XML::Simple;
@@ -116,7 +117,7 @@
         $key = 'weather_icon';
         $xml->{$key} = 'unknown.png';
         local *FH;
-        open(FH, "icons") or die "Cannot open icons";
+        open(FH, "/usr/local/share/mythtv/mythweather/scripts/us_nws/icons") or die "Cannot open icons";
         while(my $line = <FH>) {
             chomp $line;
             if ($line =~ /$xml->{'icon_url_name'}::/) {

Attachments (1)

scripts.diff (2.9 KB) - added by Torg 6 years ago.
Patch for us_nws scripts

Download all attachments as: .zip

Change History (9)

Changed 6 years ago by Torg

Patch for us_nws scripts

comment:1 Changed 6 years ago by james.sumners@…

I'v found that adding -I./ to the perl execution line works okay. e.g. #! /usr/bin/perl -w => #! /usr/bin/perl -w -I./.

comment:2 Changed 5 years ago by stuartm

  • Owner changed from stuartm to xris
  • Status changed from new to assigned

comment:3 Changed 5 years ago by stuartm

  • Milestone changed from 0.21.1 to 0.22

comment:4 Changed 5 years ago by stuartm

  • Component changed from mythweather to Plugin - MythWeather
  • Milestone changed from 0.22 to unknown

comment:5 Changed 4 years ago by stuartm

  • Version changed from 0.21-fixes to Trunk Head

comment:6 Changed 4 years ago by beirdo

  • Owner changed from xris to beirdo

comment:7 Changed 4 years ago by beirdo

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [25155]) Explicitly added path from the currently running script and default paths into
all the scraper scripts that use local libraries. This will get rid of the
problem of perl running in tainted mode due to setuid, as now the current
directory doesn't need to be implicitly in the path.

Closes #4954

comment:8 Changed 4 years ago by stuartm

  • Milestone changed from unknown to 0.24

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'new'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.