• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5796: SubscribePlugin and perl 5.8.4 exposes a taint issue in the latest MailerContrib

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine MailerContrib Urgent Closed   patch 4.2.1, 5.0.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

on TWiki 4.2.0, with an updated MailerContrib, and then installing SubscribePlugin and

by adding %<nop>SUBSCRIBE% to a forum topic, you get the following with Perl 5.8.4 (itgoes away when I upgrade the test system to 5.8.4

 
# ./view Forum.ForumSandbox0001
Content-type: text/plain

Insecure dependency in eval while running with -T switch at /var/apache2/htdocs/twiki/lib/TWiki/Form.pm line 243.
        TWiki::Form::createField('TWiki::Form=HASH(0x8a378cc)', 'text', 'name', 'Title', 'title', 'Title', 'size', 40, 'value', ...) called at /var/apache2/htdocs/twiki/lib/TWiki/Form.pm line 211
        TWiki::Form::_parseFormDefinition('TWiki::Form=HASH(0x8a378cc)', 'TWiki::Meta=HASH(0x8a384dc)', '---+ Discussion Forum Form\x{a}\x{a}| *Name* | *Type* | *Size* | *Val...') called at /var/apache2/htdocs/twiki/lib/TWiki/Form.pm line 87
        TWiki::Form::new('TWiki::Form', 'TWiki=HASH(0x8294cc8)', 'Forum', 'DiscussionTopicForm') called at /var/apache2/htdocs/twiki/lib/TWiki/Meta.pm line 598
        TWiki::Meta::renderFormForDisplay('TWiki::Meta=HASH(0x86e8e6c)', 'TWiki::Templates=HASH(0x87089bc)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 3795
        TWiki::META('TWiki=HASH(0x8294cc8)', 'TWiki::Attrs=HASH(0x8a37914)', 'ForumSandbox0001', 'Forum', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 2660
        TWiki::_expandTagOnTopicRendering('TWiki=HASH(0x8294cc8)', 'META', '"form"', 'ForumSandbox0001', 'Forum', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 2581
        TWiki::_processTags('TWiki=HASH(0x8294cc8)', ' %IF{"$raw=\'on\'" then=\'<div class="patternSigLine"><span c...', 'CODE(0x82b98a4)', 16, 'ForumSandbox0001', 'Forum', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 2505
        TWiki::expandAllTags('TWiki=HASH(0x8294cc8)', 'SCALAR(0x82c1048)', 'ForumSandbox0001', 'Forum', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 2857
        TWiki::handleCommonTags('TWiki=HASH(0x8294cc8)', ' %IF{"$raw=\'on\'" then=\'<div class="patternSigLine"><span c...', 'Forum', 'ForumSandbox0001', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki/UI/View.pm line 396
        TWiki::UI::View::_prepare(' %IF{"$raw=\'on\'" then=\'<div class="patternSigLine"><span c...', 'TWiki=HASH(0x8294cc8)', 'Forum', 'ForumSandbox0001', 'TWiki::Meta=HASH(0x86e8e6c)', 0) called at /var/apache2/htdocs/twiki/lib/TWiki/UI/View.pm line 383
        TWiki::UI::View::view('TWiki=HASH(0x8294cc8)') called at /var/apache2/htdocs/twiki/lib/TWiki/UI.pm line 159
        TWiki::UI::__ANON__() called at /var/apache2/htdocs/twiki/lib/CPAN/lib//Error.pm line 379
        eval {...} called at /var/apache2/htdocs/twiki/lib/CPAN/lib//Error.pm line 371
        Error::subs::try('CODE(0x806d614)', 'HASH(0x86f0b8c)') called at /var/apache2/htdocs/twiki/lib/TWiki/UI.pm line 197
        TWiki::UI::run('CODE(0x8326b94)', 'view', 1) called
TWiki detected an internal error - please check your TWiki logs and webserver logs for more information.

Insecure dependency in eval while running with -T switch

turns out its in MailerContrib::WebNotify::_load() - I've not narrowed it further yet.

Perl 5.8.4 is the Perl distributed in the current version of Solaris 10 :/ so even though its almost as old as the PC :}. its still needed.

-- TWiki:Main/SvenDowideit - 20 Jul 2008

i don't know what to suggest. i don't have a copy of perl 5.8.4, and the fact that this doesn't fail with my 5.8.8 suggests that it's a problem with the perl rather than the contrib.

Need more feedback from a 5.8.4 user who can reproduce the problem.

-- CrawfordCurrie - 21 Jul 2008

Per TWiki:Codev.GeorgetownReleaseMeeting2008x07x21 TWiki:Main.RafaelAlvarez will try and reproduce

Sven is also expected to attempt to fix it as the reporter

-- TWiki:Main.KennethLavrsen - 22 Jul 2008

With the latest version of SubscribePlugin in the Plugins web and the latest version of TWiki4.2 in SVN, I get the following error:

Undefined subroutine &TWiki::Func::registerTagHandler called at /home/twiki/new/ng/lib/TWiki/Plugins/SubscribePlugin.pm
The same happens with the version SVN... I put a "require TWiki::Func" statement at the beginning and it worked. Something must have change d between 4.1.2 and 4.2, because my 4.1.2 installation is working fine.

-- TWiki:Main.RafaelAlvarez - 22 Jul 2008

I manage to reproduce the error with the latest TWiki 4.2.1, SubscribePlugin and MailerContrib in SVN (as of today).

It happens just by "view"ing a topic with the %SUBSCRIBE% tag

-- TWiki:Main.RafaelAlvarez - 22 Jul 2008

coincidentally, I nailed down the problem in Forms.pm. Here is the patch:

Index: Form.pm
===================================================================
--- Form.pm     (revision 17106)
+++ Form.pm     (working copy)
@@ -240,6 +240,7 @@
     my $class = $type;
     $class =~ /^(\w*)/; # cut off +buttons etc
     $class = 'TWiki::Form::'.ucfirst($1);
+       $class=TWiki::Sandbox::untaintUnchecked($class);
     eval 'require '.$class;
     if( $@ ) {
         # Type not available; use base type

if nobody has any objections on it, I'll commit it tomorrow

-- TWiki:Main.RafaelAlvarez - 22 Jul 2008

new patch... I prefer this one (one less method call). Thanks to Babar, Lavr and Peter:


Index: Form.pm
===================================================================
--- Form.pm     (revision 17106)
+++ Form.pm     (working copy)
@@ -239,7 +239,8 @@

     my $class = $type;
     $class =~ /^(\w*)/; # cut off +buttons etc
-    $class = 'TWiki::Form::'.ucfirst($1);
+    my $workaround=$1; #otherwise it will mark $1 as tainted in perl 5.8.4
+    $class = 'TWiki::Form::'.ucfirst($workaround);
     eval 'require '.$class;
     if( $@ ) {
         # Type not available; use base type

-- TWiki:Main.RafaelAlvarez - 22 Jul 2008

Can you put TWiki::Sandbox::untaintUnchecked into the comment? that function was created specifically to be a hinter that there is an attempt to secure user input data. And oneday I hope that we'll analyse and extract them all so that it is done more efficiently.

-- TWiki:Main.SvenDowideit - 23 Jul 2008

http://bugs.debian.org/303308 Looks like a bug in perl 5.8.4. But a really weird one.

-- TWiki:Main.OlivierRaginel - 23 Jul 2008

Commited on 4.2.1

-- TWiki:Main.RafaelAlvarez - 23 Jul 2008

This also happens in the trunk version... I'm in the process of merging the patch.

-- TWiki:Main.RafaelAlvarez - 23 Jul 2008

done

-- TWiki:Main.RafaelAlvarez - 23 Jul 2008

nioce smile -- SvenDowideit - 31 Jul 2008

Cleaned "WaitingFor" field.

-- TWiki:Main.GilmarSantosJr - 10 Aug 2008

ItemTemplate
Summary SubscribePlugin and perl 5.8.4 exposes a taint issue in the latest MailerContrib
ReportedBy TWiki:Main.SvenDowideit
Codebase

SVN Range TWiki-5.0.0, Thu, 17 Jul 2008, build 17046
AppliesTo Engine
Component MailerContrib
Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:17121 TWikirev:17122
TargetRelease patch
ReleasedIn 4.2.1, 5.0.0
Edit | Attach | Watch | Print version | History: r14 < r13 < r12 < r11 < r10 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r14 - 2008-08-10 - GilmarSantosJr
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback