Bug 7020 - Util.pm refusing to untaint
Summary: Util.pm refusing to untaint
Status: RESOLVED INVALID
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: spamassassin (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-27 14:21 UTC by m.grau
Modified: 2015-12-22 14:41 UTC (History)
3 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description m.grau 2014-02-27 14:21:46 UTC 
Running a message through spamassassin it at the command line gives this warning from Util.pm

   warn: util: refusing to untaint
   suspicious path: "${exec_prefix}/lib"

Calling spamassassin from within  MIMEDefang milter:

  mimedefang-multiplexor[27529]: s1QKZwcH017978: Slave 1 stderr: util: refusing
  to untaint suspicious path: "${exec_prefix}/lib"

(Applying the patch from bug id=7015 not fix it.)
Comment 1 Kevin A. McGrail 2014-02-27 14:44:27 UTC 
Looking at this more with another programmer helping, I think you are passing the path of "${exec_prefix}/lib" when you likely mean to sometime earlier have exec_prefix replaced with something.

In short, I'm 99.9% sure this is a configuration error.
Comment 2 m.grau 2014-02-27 16:57:42 UTC 
Yes, it appears to have been a configuration issue. I removed all .pre files from /etc/mail/spamassassin, re-installed SA and the warning is no longer produced.

I can only assume that a .pre file was inadvertently left from a previous install.
Comment 3 Martin 2015-12-22 10:21:30 UTC 
In my case, the source of the problem was Rhyolite DCC which was activated in v310.pre:

loadplugin Mail::SpamAssassin::Plugin::DCC

Commenting this line out removed the error immediately.

Digging further I found out you really need to pass an Argument --libexecdir= to the ./configure (do this in /var/dcc/build if you plan to update DCC autmatically), e.g.:

./configure --disable-IPv6 --disable-server --disable-dccm --libexecdir=/var/dcc/libexec

With this option given DCC works without errors and can be re-enabled.
Comment 4 Kevin A. McGrail 2015-12-22 14:41:27 UTC 
Thanks for the follow-up!