Uploading an attachment now fails on version TWiki-4.1.1, Mon, 05 Feb 2007, build 12770 (possibly also version 4.1.0) if running with taint mode on. The following error is reported:
During save of
ProyectosOutSourcingYr2006 an error was found by the version control system. Please notify your TWiki administrator.
=Insecure dependency in chmod while running with -T switch at /usr/local/twiki/lib/TWiki/Store/RcsWrap.pm line 468. at /usr/local/twiki/lib/TWiki/Store/RcsWrap.pm line 468 TWiki::Store::RcsWrap::_lock('TWiki::Store::RcsWrap=HASH(0x98c5cd0)') called at /usr/local/twiki/lib/TWiki/Store/RcsWrap.pm line 141 TWiki::Store::RcsWrap::addRevisionFromStream('TWiki::Store::RcsWrap=HASH(0x98c5cd0)', 'Fh=GLOB(0x90ee16c)', 'Propuesta de SONDA para Sistema de Tesoreria', 'rcaceres') called at /usr/local/twiki/lib/TWiki/Store.pm line 997 TWiki::Store::__ANON__() called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x997edd4)', 'HASH(0x9963218)') called at /usr/local/twiki/lib/TWiki/Store.pm line 1002 TWiki::Store::__ANON__() called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x996d240)', 'HASH(0x997fa4c)') called at /usr/local/twiki/lib/TWiki/Store.pm line 1041 TWiki::Store::saveAttachment('TWiki::Store=HASH(0x95e552c)', 'InformPriv', 'ProyectosOutSourcingYr2006', 'Propuesta_SONDA_Tesoreria_V001_20070212.pdf', 'TWiki::User=HASH(0x98c23d4)', 'HASH(0x996ce80)') called at /usr/local/twiki/lib/TWiki/UI/Upload.pm line 220 TWiki::UI::Upload::__ANON__() called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x9037f14)', 'HASH(0x997f140)') called at /usr/local/twiki/lib/TWiki/UI/Upload.pm line 237 TWiki::UI::Upload::upload('TWiki=HASH(0x89c17a8)') called at /usr/local/twiki/lib/TWiki/UI.pm line 157 TWiki::UI::__ANON__() called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x8886a1c)', 'HASH(0x99240ec)') called at /usr/local/twiki/lib/TWiki/UI.pm line 197 TWiki::UI::run('CODE(0x96470ec)') called at /usr/local/twiki/bin/upload line 32 Apache::ROOTintranet_2eaasa_2ecom_2epe::twiki::bin::upload::handler('Apache=SCALAR(0x8ef5b2c)') called at /usr/lib/perl5/site_perl/5.8.7/i686-linux/Apache/Registry.pm line 149 eval {...} called at /usr/lib/perl5/site_perl/5.8.7/i686-linux/Apache/Registry.pm line 149 Apache::Registry::handler('Apache=SCALAR(0x8ef5b2c)') called at /dev/null line 0 eval {...} called
It must be noted that twiki ran fine under 4.0.5 before updating, that is taint mode was on. I've checked that the involved file:
RcsWrap.pm has changed.
--
TWiki:Main/RafaelCaceres
- 15 Feb 2007
Indeed it has, but only to update the copyright notice. Apart from that doc change, it hasn't changed since TWiki-4.0.0 was released.
However taint checks are insidious; the tainted data could have come from anywhere back up the stack. In fact what has happened is that the
RcsWrap object has been created with a tainted filename, somewhere further up the stack.
Since I cannot reproduce this (upload works fine for me with taint checks enabled) I can only ask that you (or someone else who
can reproduce it) try to track down the source of the problem yourself. You can check for the taintedness of a variable using
die "tainted $variable" unless Assert::UNTAINTED($variable)
.
One vague possibility is that it may only occur when UTF-8 is enabled.
Also, what is your perl version?
--
TWiki:Main.CrawfordCurrie
- 20 Feb 2007
No feedback from reporter, so closing under the 30 day rule.
CC