Item12391: Check for bad Locale::Maktext versions

SMELL: trunk's new configure renders all the "CGISetup.pm" checks a bit worthless - if you go to the trouble of Configuration Audit -> Web server, it seems none of the ->ERROR() and ->WARN() messages are actually visualised back to the user. Following this up in Item12180 git-svn-id: http://svn.foswiki.org/trunk@16532 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Feb 13, 2013 · 2f42e93 · 2f42e93
1 parent 22cb378
commit 2f42e93
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 6 deletions.
diff --git a/core/lib/Foswiki/Configure/Checkers/CGISetup.pm b/core/lib/Foswiki/Configure/Checkers/CGISetup.pm
@@ -274,6 +274,22 @@ HERE
         }
     }
 
+    # Item12285 - do we have a nasty Locale::Maktext version?
+    require Foswiki::Configure::Checkers::UserInterfaceInternationalisation;
+    my $maketext_vuln =
+      Foswiki::Configure::Checkers::UserInterfaceInternationalisation::have_vulnerable_maketext(
+      );
+    if ($maketext_vuln) {
+        if ( $Foswiki::cfg{UserInterfaceInternationalisation} ) {
+            $content .=
+              $this->setting( 'Locale::Maktext', $this->ERROR($maketext_vuln) );
+        }
+        else {
+            $content .=
+              $this->setting( 'Locale::Maketext', $this->WARN($maketext_vuln) );
+        }
+    }
+
     #OS
     my $n =
         ucfirst( lc( $Config::Config{osname} ) ) . ' '

diff --git a/core/lib/Foswiki/Configure/Checkers/UserInterfaceInternationalisation.pm b/core/lib/Foswiki/Configure/Checkers/UserInterfaceInternationalisation.pm
@@ -7,7 +7,14 @@ use warnings;
 use Foswiki::Configure::Checker ();
 our @ISA = ('Foswiki::Configure::Checker');
 
-my @required = (
+my $maketext_minver = 1.23;
+my @required        = (
+    {
+        name           => 'Locale::Maketext',
+        usage          => 'I18N translations',
+        minimumVersion => $maketext_minver,
+        disposition    => 'optional',
+    },
     {
         name  => 'Locale::Maketext::Lexicon',
         usage => 'I18N translations',
@@ -54,11 +61,42 @@ my @perl58 = (
     },
 );
 
-sub check {
-    my $this = shift;
+# Item12285
+sub have_vulnerable_maketext {
+    my ($this) = @_;
+    require Foswiki::Configure::Dependency;
+    my $dep = Foswiki::Configure::Dependency->new(
+        type    => 'perl',
+        module  => 'Locale::Maketext',
+        version => '>=$maketext_minver',
+    );
+    my ($result) = $dep->check();
+    my $maketext_ver =
+      eval { require Locale::Maketext; $Locale::Maketext::VERSION; } || '';
+
+    return $result ? '' : <<"HERE";
+Your version of Locale::Maktext $maketext_ver may introduce a dangerous code
+injection security vulnerability. Upgrade to version $maketext_minver or newer. See
+<a href="http://foswiki.org/Support/SecurityAlert-CVE-2012-6329">CVE-2012-6329</a>
+for more advice.
+HERE
+}
 
-    my $n = $this->checkPerlModules( 0, \@required );
+sub check {
+    my $this     = shift;
+    my $vuln_msg = $this->have_vulnerable_maketext();
+
+    my $n = '';
+    if ($vuln_msg) {
+        if ( $Foswiki::cfg{UserInterfaceInternationalisation} ) {
+            $n .= $this->ERROR($vuln_msg);
+        }
+        else {
+            $n .= $this->WARN($vuln_msg);
+        }
+    }
 
+    $n .= $this->checkPerlModules( 0, \@required );
     if ( $] >= 5.008 ) {
         $n .= $this->checkPerlModules( 0, \@perl58 );
     }

diff --git a/core/lib/Foswiki/Configure/UI.pm b/core/lib/Foswiki/Configure/UI.pm
@@ -1226,9 +1226,10 @@ sub checkPerlModules {
             if ( $mod_version < $mod->{minimumVersion} ) {
                 $n = $mod->{installedVersion};
                 $n .=
-                    ' installed. Version '
+                    ' installed. <span class="foswikiAlert">Version '
                   . $mod->{minimumVersion} . ' '
-                  . $mod->{disposition};
+                  . $mod->{disposition}
+                  . '</span>.';
                 $n .= ' ' . $mod->{usage} if $mod->{usage};
             }
         }