From patchwork Tue Sep 7 11:19:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Martin_Storsj=C3=B6?= X-Patchwork-Id: 30061 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp4570119iov; Tue, 7 Sep 2021 04:19:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw+YPafA4chSgw8hAlWxnkPqRzWSf9zBGHJhtFC3SxrlF8nj4bZMYBwMZDIROPkWTBctksB X-Received: by 2002:a17:906:144b:: with SMTP id q11mr18296371ejc.78.1631013573594; Tue, 07 Sep 2021 04:19:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631013573; cv=none; d=google.com; s=arc-20160816; b=tCc3u5Ljc/vWjK7AFbj81yR+gktrNlhuu3/J8MRLetm5wPsdl0p2n4uL2MXJjvCsNx S0LqPGgQuDDXQAn4wxhOYYVUvt4CrPoqVRnQV520gcB4gvHm+NrqW5oS/+EXoI5wmg59 WBKJKM6Qvzx7P2fhuU1MBirfbI1lUW2tN0lPAFc4r0LigMqoGU/+rMjb7CAbzu5qpvYo eOy5llIvQcyiJjqkLXoc4MnVYncYqYD4R/OQNvLb2F4zCxO1wba+cHopncTluuTO+rEZ 874RkghveJTqDoUAwLkJ8VXsXqj3Rfl96rWPWQdBobydxjb+VNoAC+BiTCOLw4L1zf1w mSCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=XG9ZXfKvdfSDpNZsT2w0ULnJ8mfabQDcqgBr+KNdl68=; b=KJ1bwLjas8H+Fpqu19e4Lf+uKwf8deZQ2OLI3Txc/TLDWEXhOKQgNtD2NRy4OO6wAL NkQq3PzmhAvWCkW0CaeEsPZZnDwvN0OTqLWwgD2UDoAdQfBbGyPx/Q2oXNvfAkUpsLrf Cv0Io9db6dALaVvN/zD5kGwECjFqzZ2vSjY2a9vh6fhfkoXWBC8ib3kbmOCY9IW4I/FG 1398N8RiQkz7PJw552WAlpOOJ+n74PZobyxgDbmj/2YUAMZ9PV8LjPiTeeZ4qHLqJ8lz 91DAf/bhPg5GA7nmenpkvklCHaxE8LQfBe5Q9PTUr7mBav7v+t0ZgvgZV3sCxZrw4qyq SOSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@martin-st.20150623.gappssmtp.com header.s=20150623 header.b=ZsbtOSjT; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 18si9950522ejj.476.2021.09.07.04.19.33; Tue, 07 Sep 2021 04:19:33 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@martin-st.20150623.gappssmtp.com header.s=20150623 header.b=ZsbtOSjT; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0F16B68A69A; Tue, 7 Sep 2021 14:19:30 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DB9D268811D for ; Tue, 7 Sep 2021 14:19:23 +0300 (EEST) Received: by mail-lf1-f45.google.com with SMTP id h16so18765664lfk.10 for ; Tue, 07 Sep 2021 04:19:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=martin-st.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=whszrgLgZvxv8ulE3eI0rxX3fmivhRgIZXeT/dndgOk=; b=ZsbtOSjTsY3wfkD89BnG00K2YtjquXMEtdNs7im8/ymNc3LgQ8XQiCsnkpsOfml3T1 heVH8bobQ/EsGo86Mv2JK0wMi4n55EhpTM5hfIns9rL6loz2ywOpnxpfI8AtAzWz/uTW GlxJnZvUaryW3EJr94r1w2aYUfReAvqhaND74SRUncwK7uq9oXi4boVuWfYPTC8L+Kgg 4D+lXvJQPcqFxKdipeOk6O7tTP28nq+SRveJTUi9cIHztup1b/oe8lEyYXUm/os326de VQg8sa1RVc7Lq2doNcCcImTZHnG1bOWXi5Dl1F9V0yIudnH4gpEZdejOl0VgpelIC4Gk 0GRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=whszrgLgZvxv8ulE3eI0rxX3fmivhRgIZXeT/dndgOk=; b=ZnIZv/NsmW7FoG29TBsdbH4bwRAUTKZYgtsTzCWFcCZLOcbfTSpgdPBGsJ5KRfNMz4 GruWPVX/V+rl8UWcWWgPH/QqaJ5p2OB34hsqEe65VDuNtMeZfyZSdgtkyRIp72j/zJio sCk5l+0+lQkJ2BWgojWgP9uwRr+LFo+N5hMB03ZblWqyWqS2ImQcobONFi0WMnM46dZF A9XZfJ1h0KTEk6ot2mL4xspGelX7nZRPBfmofoq6YDjsedmUCoFYA3642E/ePY8OlgYO BbDXXwHxWkkpG8si4Gi1XH4VzaZUh60NBJpj3SbwOjJhbUlOiJRQHrOXYk4NeD0Plv1X 3VQA== X-Gm-Message-State: AOAM531Qrm5Zo0DOXGDVm6ECccqsMrnweX8zBDJXeOpHAGzHVex1CKK0 H/cciUICgzRB+q0GhgVqNXZFqI5lvmytzVNp X-Received: by 2002:a05:6512:11e8:: with SMTP id p8mr12592823lfs.682.1631013563175; Tue, 07 Sep 2021 04:19:23 -0700 (PDT) Received: from localhost.localdomain (dsl-tkubng21-58c01c-243.dhcp.inet.fi. [88.192.28.243]) by smtp.gmail.com with ESMTPSA id bi19sm979302lfb.28.2021.09.07.04.19.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Sep 2021 04:19:22 -0700 (PDT) From: =?utf-8?q?Martin_Storsj=C3=B6?= To: ffmpeg-devel@ffmpeg.org Date: Tue, 7 Sep 2021 14:19:21 +0300 Message-Id: <20210907111922.2654736-1-martin@martin.st> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [fateserver PATCH 1/2] Add a missed taint check in report.cgi X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: george@nsup.org Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: bal9HZUwBgeY This was missed in 505f620a5d22ffef86ad5ffa1328e87ba6dc191b. --- report.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/report.cgi b/report.cgi index 2b388e4..fb00fee 100755 --- a/report.cgi +++ b/report.cgi @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#! /usr/bin/perl -T # # Copyright (c) 2011 Mans Rullgard # From patchwork Tue Sep 7 11:19:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Martin_Storsj=C3=B6?= X-Patchwork-Id: 30060 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp4570271iov; Tue, 7 Sep 2021 04:19:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxNzamEHIVdMm5fMIyQOdqnkKeiIhIhe9miiDU2MU6S6T//V62qYmksPt1LM2dAQgTSZk5A X-Received: by 2002:aa7:de93:: with SMTP id j19mr18072006edv.241.1631013583235; Tue, 07 Sep 2021 04:19:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631013583; cv=none; d=google.com; s=arc-20160816; b=H78ET5sWiQCv6n02S6w/Hpln7Ey6YzV7CkOSGdF5WE29XNgWDhrWhQpIUnScwlqdDO IaWbwEvrv+PRnBFl2yEYouUa0vpJlWJW3Nw7UmUXIBAXbBWSyy5+6SS8UtLnMyWmd7W5 gJatS3JdaUy2Cn9XxXUtn7jAHLnxap+sT1JV3c8AZ0OZxwmtgQq7vnvT82M5yJgiOb2i /atGF6TZYX7FE4kPA9hX0l6UWrP5hrEBgfIVNrug/g5j2r6+2EY9cOpGP3OSqi3Us2uT x8OTKWZYdjrqM+30y41oCPWyJsUugDbk+CAfaOmgLllq+UOHL1PiRECKkn4DN7md6XP7 zqwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:references:in-reply-to :message-id:date:to:from:dkim-signature:delivered-to; bh=bG5AJqGUe0TZBibMK6CoMBn0z13ioHn66h6przp79rU=; b=YQMoEWyBFzAoDiGFBFVHGrCWy+FwFGfjWd69YliT8z3oOmlsp8I/bbNdIwT1YAAJ7g h0oFC7LBDrQsOXuOTkh8EiIOt23FTi3Gz1S6XbIK9a1t9e8mHmIqY8deGWfK5Sw/Vjh3 auXmIpYXeTU5rdKqV0JYagutwImuocqE18Dy7HqoPG3wYYDDEoSpC3iCyjgeNsOrDVrR Hc3W8blDsCfiUFDepnVn82ngO4nQOgZPEAAXNNuI/iS7b7Brl/gBzuBM9r/zVmGXjCYd 4aDKqNwpAyHtdA3kD1eOjz3avodLsubBuSK278aW80RiapeUgWC6IYrXLuPC3RMzXhCq CIOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@martin-st.20150623.gappssmtp.com header.s=20150623 header.b=eX0394PM; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id y8si10399971edw.176.2021.09.07.04.19.42; Tue, 07 Sep 2021 04:19:43 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@martin-st.20150623.gappssmtp.com header.s=20150623 header.b=eX0394PM; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2CA8B68811D; Tue, 7 Sep 2021 14:19:32 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8444F68A5AF for ; Tue, 7 Sep 2021 14:19:24 +0300 (EEST) Received: by mail-lf1-f51.google.com with SMTP id n2so9302523lfk.0 for ; Tue, 07 Sep 2021 04:19:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=martin-st.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=st8m7+FO4/gziRwzcCRv+i+nK5IDISqvzxFLA7ZlQxQ=; b=eX0394PMKFuipCBcBIhixvuLPyFZ3baH0FRF6wZIA/IIhShTe3ilUSoBbHRo7sYXqp duJv2UTyc3IJKrf515Sp5QY+5Gh2N58s1A/FN8PRcZTS2JgUDy277+CZcqdE6vzOBGd3 b4hAiehdbXsdfITR0j31v3edEUJAbD1+jOdlklzupaC1pbjNytPnb4JHNnhroanBNxcq 9Gg24vMY8EOgtIA5LEQNkX2EaxkFPlpvnjpBZU06V/UeqnGU03HpVPfS1IKRW4yiTQzw OqRm3ZMr92nvjnBVQI5v1fYDbCda4b8YZFKxNFwrqnosIx0Nml0KDkAkz+K6HpAJoBwP n0HQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=st8m7+FO4/gziRwzcCRv+i+nK5IDISqvzxFLA7ZlQxQ=; b=Dz/kuUlFnUG69qYJuHkMHD7AXEYwLMnYGYrq25IKnm35jzVal4SoUMuuhB0p8mlC2y XwWjn+ybcHnccAoPfCuGSKo8Fymb36o8NcdXiS4zYLCFFisIU2VBFpom5xpRWtkKsNDg pCaxuz31eAelmm6CkVrrrcvOy7/xx5KbHayhDTP7+A0IleE+dyRIdGxvYM0GPXhz+V86 Oy7RWgDbouBeoIiSlwk+lDLKKjQKd1YKXW7DXcr0zgyQfpiWYCABjc0xj44u4a+jy45r nNrB9QHNkAOEoczDBf78ESvMz2iBu4AnLPs3fl0Q/TIJA8ImsJNtxS1WYuNH3yIi61HT CgIA== X-Gm-Message-State: AOAM530AWBgLnMt8bdg2rbSQZOGldeJyR5AJYMQBMcBdvICsXOyzZg9G jcP4GMXR7YAlNvHo0Lc0je391kzMMnop77IX X-Received: by 2002:ac2:5d4a:: with SMTP id w10mr12279103lfd.529.1631013563671; Tue, 07 Sep 2021 04:19:23 -0700 (PDT) Received: from localhost.localdomain (dsl-tkubng21-58c01c-243.dhcp.inet.fi. [88.192.28.243]) by smtp.gmail.com with ESMTPSA id bi19sm979302lfb.28.2021.09.07.04.19.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Sep 2021 04:19:23 -0700 (PDT) From: =?utf-8?q?Martin_Storsj=C3=B6?= To: ffmpeg-devel@ffmpeg.org Date: Tue, 7 Sep 2021 14:19:22 +0300 Message-Id: <20210907111922.2654736-2-martin@martin.st> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210907111922.2654736-1-martin@martin.st> References: <20210907111922.2654736-1-martin@martin.st> MIME-Version: 1.0 Subject: [FFmpeg-devel] [fateserver PATCH 2/2] Add missing validation of out of process data X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: george@nsup.org Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 29JmDK9hIyv4 When invoking unxz, the variables making up the path passed to unxz need to be validated. load_summary normally only reads the "summary" file, but if missing, it tries to use unxz to unpack report.xz. In this case the slot value needs to be validated, which can be done in the main loop in index.cgi. load_report uses unxz, with a slot and date read from the summary file, when the report contained failures. In this case, the slot and date values can either be validated as they're read from the summary in load_summary or split_header, or before they're used in load_report. This unbreaks the main results listings for slots with one or more test failures. --- FATE.pm | 2 ++ index.cgi | 1 + 2 files changed, 3 insertions(+) diff --git a/FATE.pm b/FATE.pm index b7d7260..ccb8958 100644 --- a/FATE.pm +++ b/FATE.pm @@ -147,6 +147,8 @@ sub load_summary { sub load_report { my ($slot, $date) = @_; + ($slot) = $slot =~ /^([A-Za-z0-9_\-.]{1,80})\z/ or exit 1; + ($date) = $date =~ /^([0-9]{1,80})\z/ or exit 1; my $report = "$fatedir/$slot/$date/report.xz"; my @recs; diff --git a/index.cgi b/index.cgi index 8fe92db..c053d0e 100755 --- a/index.cgi +++ b/index.cgi @@ -47,6 +47,7 @@ my $allpass = 0; my $allfail = 0; for my $slot (@slots) { + ($slot) = $slot =~ /^([A-Za-z0-9_\-.]{1,80})\z/ or next; next if -e "$fatedir/$slot/hidden"; my $rep = load_summary $slot, 'latest' or next; next if time - parse_date($$rep{date}) > $hidden_age;