This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
[this is a follow-up to Debian bug #217353] It looks like starting with version 5.8.1, Perl is fussier about the tainted mode and the exec command: use of tainted data in command "exec LIST" seems to cause an error. check calls the commands open3("<&SPIN", ">&SPOUT", ">&SPERR", @cmd); and open3 itself calls "exec @cmd" -- since @cmd contains at least the name of the SGML Parser (read from the config file), it will always be tainted. In such a case, the validator prints only "This page is not valid" and no error or explanation. This makes the validator completely unusable, hence the severity "major". Can we consider that what is in the config file can be trusted and untaint all parameters blindly ? Frédéric
Hum... it looks like I got lost in the different branches of the CVS: the fix seems to be there already. Closing this bug, sorry for the noise.