Discrepancies in INNshellvars variables

Russ Allbery rra at stanford.edu
Sun Dec 14 04:28:51 UTC 2008 

Julien ÉLIE <julien at trigofacile.com> writes:

> I have just seen the patch <http://launchpadlibrarian.net/3085370/ip>
> for Ubuntu to fix innshellvars.pl which is not taint-safe:
>
> --- /usr/lib/news/innshellvars.pl 2006-03-15 11:37:21.000000000 +0100
> +++ ./innshellvars.pl 2006-06-15 10:04:28.000000000 +0200
> @@ -9,7 +9,11 @@
>
>  package inn ;
>
> -eval `@bindir@/innconfval -p`;
> +my $icv = `@bindir@/innconfval -p`;
> +my %icv;
> +$icv{$icv}++;
> +($icv) = keys %icv;
> +eval $icv;
>
>  $newshome = $pathnews;

I'm a little reluctant to apply the various fixes to untaint the output
from innconfval because they always look like weird hacks to me.  But
then, I tend not to use the Perl tainting support, so that may be why.

Ideally, we'd have a direct Perl interface to the config parser (ticket
#2) which would avoid the need for things like this.

> By the way, I looked into innshellvars.* and I do not understand some things.
>
> * First of all, shouldn't the names be standardized?
>   I for instance see:
>   SPOOLBASE=${PATHSPOOL}
>   $spooldir = $pathspool;
>
>   Why isn't it the same for Bourne shell and Perl?

The names should definitely be standardized across all supported
languages.  This unfortunately breaks backwards compatibility if anyone is
using the variables that are renamed.  Recorded as ticket #10.

> * Shouldn't the EXPORT stuff be the same everywhere?  Some variables are
>   exported in the shell script and not in the other scripts.
>
>   SPOOLBASE=${PATHSPOOL}
>   export NEWSHOME SPOOL MOST_LOGS
>                   ^^^^^
>
>   export NEWSBIN NEWSETC INNDDIR NEWSHOME
>                                  ^^^^^^^^
>   It should be NEWSLIB and LOCKS.

Yup, likewise here it should always be the same.

> * In the Perl script:
>
>   $syslog_facility = lc("@SYSLOG_FACILITY@");
>   $syslog_facility =~ s/log_//;
>
>   Shouldn't it also be in the shell and the Tcl scripts?

Yup.  Less useful in the others, but they might still run logger from the
command line.

> * In the Tcl script, I read:
>
>   set inn_newslbin "${inn_newshome}/local"
>   set inn_newsetc "${inn_newshome}/etc"
>
>   Well... Not necessary...

Fixed in CURRENT.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.

More information about the inn-workers mailing list