msva-perl not untainting $uid
We are now checking/untainting the uid pulled from the data from the query. However, the check is currently very simple:
{peer} is 'https' or 'ssh'
{context} does not contain any spaces
This is a reasonable check and sufficient for untainting. However, we could use Regexp::Common::URI to do the checking. However, we would have to greatly restrict what would be acceptable as a uid.
However, I question whether this is really necessary. It seem to me that the only thing that really matters is that the uid has full validity over the specified key. The form of the uid maybe really doesn't matter. It may only be necessary to untaint the uid for the sake of the system calls.
However, this might hopefully be completely moot when the validity check is being done completely internally in the msva.
(from redmine: created on 2010-05-01, closed on 2010-10-04)