Item3643: Version 4.1.1 fails loading attachments with taint mode on

During save of ProyectosOutSourcingYr2006 an error was found by the version control system. Please notify your TWiki administrator.

=Insecure dependency in chmod while running with -T switch at /usr/local/twiki/lib/TWiki/Store/RcsWrap.pm line 468. at /usr/local/twiki/lib/TWiki/Store/RcsWrap.pm line 468 TWiki::Store::RcsWrap::_lock('TWiki::Store::RcsWrap=HASH(0x98c5cd0)') called at /usr/local/twiki/lib/TWiki/Store/RcsWrap.pm line 141 TWiki::Store::RcsWrap::addRevisionFromStream('TWiki::Store::RcsWrap=HASH(0x98c5cd0)', 'Fh=GLOB(0x90ee16c)', 'Propuesta de SONDA para Sistema de Tesoreria', 'rcaceres') called at /usr/local/twiki/lib/TWiki/Store.pm line 997 TWiki::Store::__ANON__() called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x997edd4)', 'HASH(0x9963218)') called at /usr/local/twiki/lib/TWiki/Store.pm line 1002 TWiki::Store::__ANON__() called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x996d240)', 'HASH(0x997fa4c)') called at /usr/local/twiki/lib/TWiki/Store.pm line 1041 TWiki::Store::saveAttachment('TWiki::Store=HASH(0x95e552c)', 'InformPriv', 'ProyectosOutSourcingYr2006', 'Propuesta_SONDA_Tesoreria_V001_20070212.pdf', 'TWiki::User=HASH(0x98c23d4)', 'HASH(0x996ce80)') called at /usr/local/twiki/lib/TWiki/UI/Upload.pm line 220 TWiki::UI::Upload::__ANON__() called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x9037f14)', 'HASH(0x997f140)') called at /usr/local/twiki/lib/TWiki/UI/Upload.pm line 237 TWiki::UI::Upload::upload('TWiki=HASH(0x89c17a8)') called at /usr/local/twiki/lib/TWiki/UI.pm line 157 TWiki::UI::__ANON__() called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x8886a1c)', 'HASH(0x99240ec)') called at /usr/local/twiki/lib/TWiki/UI.pm line 197 TWiki::UI::run('CODE(0x96470ec)') called at /usr/local/twiki/bin/upload line 32 Apache::ROOTintranet_2eaasa_2ecom_2epe::twiki::bin::upload::handler('Apache=SCALAR(0x8ef5b2c)') called at /usr/lib/perl5/site_perl/5.8.7/i686-linux/Apache/Registry.pm line 149 eval {...} called at /usr/lib/perl5/site_perl/5.8.7/i686-linux/Apache/Registry.pm line 149 Apache::Registry::handler('Apache=SCALAR(0x8ef5b2c)') called at /dev/null line 0 eval {...} called

It must be noted that twiki ran fine under 4.0.5 before updating, that is taint mode was on. I've checked that the involved file: RcsWrap.pm has changed.

-- TWiki:Main/RafaelCaceres - 15 Feb 2007

Indeed it has, but only to update the copyright notice. Apart from that doc change, it hasn't changed since TWiki-4.0.0 was released.

However taint checks are insidious; the tainted data could have come from anywhere back up the stack. In fact what has happened is that the RcsWrap object has been created with a tainted filename, somewhere further up the stack.

Since I cannot reproduce this (upload works fine for me with taint checks enabled) I can only ask that you (or someone else who can reproduce it) try to track down the source of the problem yourself. You can check for the taintedness of a variable using die "tainted $variable" unless Assert::UNTAINTED($variable).

One vague possibility is that it may only occur when UTF-8 is enabled.

Also, what is your perl version?

-- TWiki:Main.CrawfordCurrie - 20 Feb 2007

No feedback from reporter, so closing under the 30 day rule.

CC