Re: setuid dbupdate

Hi Gabor,

> Gabor Kiss writes :
> 
> "Insecure dependency in open while running with -T switch at /usr/local/whois/lib/addkey.pl line 52."
> 
> 52:       if (open(OVERFLOWADD, ">>".$db[1].$OVERFLOWEXTENSION.$value)) {
> 
> I tried at least six different tricks to avoid this message. No success.
> (Hardcoded direct setuid C wrapper is not included in the six.)
> 
> Any suggestion?

$filename=~ 

Could you try this:

in dbopen change:

sub dbname {
    local(*entry)=@localhost
    
    local($name)=$DBFILE{$entry{"so"}};
        
    $name.=".".&entype(*entry) if ($SPLIT{$entry{"so"}});
            
    print STDERR "dbname - name: $name\n" if ($opt_V);
                
    return $name;
                    
} 
                    
to:

sub dbname {
    local(*entry)=@localhost
    
    local($name);
    
    #
    # untaint db file name
    
    $DBFILE{$entry{"so"}}=~ /(.*)/;
   
    $name=$1;
    
    $name.=".".&entype(*entry) if ($SPLIT{$entry{"so"}});
            
    print STDERR "dbname - name: $name\n" if ($opt_V);
                
    return $name;
                    
}

I have not tested this code. Please let me know if it works. No need to
CC the whole db-wg mailing list since it is not really a design issue ...

Note that I also found a couple of other (small) problems with perl5. As
the documentation says: It looks like perl5 is working now but we don't
give any guarantees and are interested in problems you might find. I will
collect this stuff for one big patch file (including RPSL extensions) for
Ambrose.

David K.
---