Re: [X2Go-Dev] Use perl -T (taint) with x2goserver scripts

On 08.04.2015 03:30 AM, Orion Poplawski wrote:

I'm thinking that x2go's server scripts should use perl's "-T" taint mode to prevent searching user's paths and otherwise improve security. Thoughts?

Good idea! I'm in favor of this and will dig into that when having spare time.

However, there's more to that than just enabling taint mode, by a quick glimpse at http://perldoc.perl.org/perlsec.html#Taint-mode

That is, we actually have to make sure that the scripts still *work in taint mode* prior to just blindly enabling it.

We're also using at least one setuid script, which deserves special care to make sure it continues to work.

Mihai