This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
The checklink call in W3C/LogValidator/LinkChecker.pm open(LINK, "$checklink $uri 2>/dev/null |"); seems dangerous to me. There's no protection against shell metacharacters in $uri. It's better to use the "safe pipe" technique, see this patch: #### Patch data follows #### diff -up '../build/W3C-LogValidator-1.04/lib/W3C/LogValidator/LinkChecker.pm' 'W3C-LogValidator-1.04/lib/W3C/LogValidator/LinkChecker.pm' Index: ./lib/W3C/LogValidator/LinkChecker.pm Prereq: 1.5 --- ./lib/W3C/LogValidator/LinkChecker.pm Sun Jan 15 20:39:38 2006 +++ ./lib/W3C/LogValidator/LinkChecker.pm Tue Jan 17 00:06:25 2006 @@ -156,7 +156,13 @@ sub process_list print " processing #$total_census $uri..." if ($verbose > 1); # FIXME at some point we will use the library instead of running the script - open(LINK, "$checklink $uri 2>/dev/null |"); + #open(LINK, "$checklink $uri 2>/dev/null |"); + open LINK, "-|" or do { + require File::Spec; + open STDERR, "> " . File::Spec->devnull or die $!; + exec $checklink, $uri; + die "Can't execute $checklink: $!"; + }; my $num_errs = 0; print "\n" if ($verbose > 2); while (<LINK>) { #### End of Patch data ####
This patch was applied a long time ago, but I forgot to close the bugzilla. Thanks again to Slaven for the catch and the patch. http://dev.w3.org/cvsweb/perl/modules/W3C/LogValidator/lib/W3C/LogValidator/LinkChecker.pm