[freeside] Insecure dependancy

[ivan]

On Wed, Aug 23, 2000 at 09:10:13PM -0700, Jason Spence wrote:
> Hi -
> 
> Has anyone else had a problem with insecure dependancies as Freeside parses
> out Text::Template files using fill_in?  In addition to the IE auto signup
> template being parsed out to set up a Windows box to use your ISP, I'm writing
> a commission report that gives me the same problem.  The exact problem seems
> to be the $fi_progtext variable in Text/Template.pm being evaled at line 282
> (Text::Template version 1.23) containing some tainted data.

Yes, I think the problem is that the template data itself is considered
tainted when pulled from the filesystem.

You could probably remove the `-T' flag from the top of signup.cgi.  This
should be safe; I'm very careful to clean all user input, and presumably
the template contains no malicious code. 

Or you could try the attached patch, which I've just checked in.

>  I have a
> suspicion that it has something to do with FS::UID->cgisuidsetup(), because
> without that at the top of the script it doesn't report the data as tainted.

Umm, cgisuidsetup (and adminsuidsetup) clean the environment (to satisfy
taint mode), setup a database connection and run any configuration
callbacks.  I don't think that removing it would cause the Text::Template
data to parse differently; more likely you're just hitting a case where
the lack of a database connection or any configuration information is
causing a different error condition. 

-- 
meow
_ivan


--- fs_signup/FS-SignupClient/cgi/signup.cgi    2000/05/10 23:57:57 1.7
+++ fs_signup/FS-SignupClient/cgi/signup.cgi    2000/08/24 07:26:50 1.8
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -Tw
 #
-# $Id: signup.cgi,v 1.7 2000/05/10 23:57:57 ivan Exp $
+# $Id: signup.cgi,v 1.8 2000/08/24 07:26:50 ivan Exp $
 
 use strict;
 use vars qw( @payby $cgi $locales $packages $pops $r $error
@@ -29,14 +29,22 @@
 $cck_file = '/usr/local/freeside/cck.template';
 
 if ( -e $ieak_file ) {
-  $ieak_template = new Text::Template ( TYPE => 'FILE', SOURCE => $ieak_file )
-    or die "Couldn't construct template: $Text::Template::ERROR";
+  my $ieak_txt = Text::Template::_load_text($ieak_file)
+    or die $Text::Template::ERROR;
+  $ieak_txt =~ /^(.*)$/s; #untaint the template source - it's trusted
+  $ieak_txt = $1;
+  $ieak_template = new Text::Template ( TYPE => 'STRING', SOURCE => $ieak_txt )
+    or die $Text::Template::ERROR;
 } else {
   $ieak_template = '';
 }
 if ( -e $cck_file ) {
-  $cck_template = new Text::Template ( TYPE => 'FILE', SOURCE => $cck_file )
-    or die "Couldn't construct template: $Text::Template::ERROR";
+  my $cck_txt = Text::Template::_load_text($cck_file)
+    or die $Text::Template::ERROR;
+  $cck_txt =~ /^(.*)$/s; #untaint the template source - it's trusted
+  $cck_txt = $1;
+  $cck_template = new Text::Template ( TYPE => 'STRING', SOURCE => $cck_txt )
+    or die $Text::Template::ERROR;
 } else {
   $cck_template = '';
 }