• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item6534: Insecure dependency in tools/extender.pl when installing extension in configure

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Closed   patch 5.1.2

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

On #twiki IRC, http://twiki.org/irc/twiki?date=2010-07-27,Tue&sel=78#l74

> skamster: hello all, i try to install twiki 5
> skamster: which is work for now.. but there's a problem: if i want to upgrade some plugins, there's a error which tells me this:
> skamster: Insecure dependency in open while running with -T switch at tools/extender.pl line 536.
> skamster: so i couldn't upgrade any plugins via webfrontend
> skamster: and a installer doesn't registered it correct, if i use it from the console..
> skamster: hope, someone could help me here..

-- TWiki:Main/PeterThoeny - 2010-07-27

Not sure if this is related: TWiki:Support.SID-00919

-- TWiki:Main.PeterThoeny - 2010-08-02

Workaround until fixed: Remove the -T switch from twiki/bin/configure, e.g. first line should look like this:

#!/usr/bin/perl -w

-- TWiki:Main.PeterThoeny - 2010-08-05

Unverified patch for twiki/tools/extender.pl, anyone could verify if this fixes the issue? 

--- extender.pl   (revision 19282)
+++ extender.pl   (working copy)
@@ -50,6 +50,9 @@
 
 BEGIN {
     $installationRoot = Cwd::getcwd();
+    $installationRoot =~ /^(.*)$/;
+    $installationRoot = $1; # untaint - this is safe
+
     my $check_perl_module = sub {
         my $module = shift;
 
@@ -980,6 +983,9 @@
     my @deps;
     foreach my $row (split(/\r?\n/, $data{DEPENDENCIES})) {
         my ($module, $condition, $trigger, $type, $desc) = split(',', $row, 5);
+        $module =~ s/[^a-zA-Z0-9\:\_\-]//g;                    # allow limited chars only
+        $module = TWiki::Sandbox::untaintUnchecked( $module ); # untaint safe module name
+
         push(@deps, {
             name=>$module,
             type=>$type,

-- TWiki:Main.PeterThoeny - 2010-08-05

New report, same Insecure dependency issue, different cause: TWiki:Support.SID-01073.

-- TWiki:Main.PeterThoeny - 2011-01-10

I have the same issue in the latest version of twiki I installed yesterday. My twiki/tools/extender.pl looks like it has the Unverified patch already. I removed the -T switch and the install has been running for 3+ hours

-- TWiki:Main.ChristopherMarzilli - 2011-03-11

I finally did some debugging and found two issues:

  1. The insecure dependency issue in LWP is caused by a relative directory '.' in the path. Unless stated in the comment, this is not needed to find tools/extender.pl because a full path is used anyway.
  2. Files in MANIFEST that contain dashes fail to install due to a too strict filter.

Both issues can be fixed by applying this patch on file twiki/lib/TWiki/Configure/UIs/EXTEND.pm : 

--- TWiki/Configure/UIs/EXTEND.pm   (revision 23282)
+++ TWiki/Configure/UIs/EXTEND.pm   (working copy)
@@ -167,7 +167,6 @@
         print "<pre>\n";
         eval {
             no warnings 'redefine';
-            unshift(@INC, '.'); # needed to find tools/extender.pl
             do $installScript;
             use warnings 'redefine';
             die $@ if $@; # propagate
@@ -248,7 +247,7 @@
             # a filename which, when passed to File::Copy, does something
             # evil. Check and untaint the filenames here.
             # SMELL: potential problem with unicode chars in file names?
-            $f =~ /([\w.]+)/; $f = $1;
+            $f =~ /([\w\-\.]+)/; $f = $1;
             if (-d "$dir$path/$f") {
                 push(@names, "$path$f/");
                 push(@names, _listDir($dir, "$path$f/"));

-- TWiki:Main.PeterThoeny - 2012-09-17

This is now fixed in SVN trunk and 5.1 branch.

Action you can take:

  • Workaround: Remove the T switch in the first line of file twiki/bin/configure.
  • Manual fix: Please apply above patch dated 2012-09-17.
  • Wait for fix: The fix will be released in the upcoming TWiki-5.1.2 release (in a few weeks).

-- TWiki:Main.PeterThoeny - 2012-09-17

I just got the "Insecure dependency" when attempting to install "Black List Plugin" from TWiki.org, extension list that I went to from Configure. I run TWiki 5.1.4.

-- TWiki:Main.DavidSteininger - 2013-07-19

This issue is back again, only on certain platforms, tracked in Item6965.

-- TWiki:Main.PeterThoeny - 2014-01-05

ItemTemplate
Summary Insecure dependency in tools/extender.pl when installing extension in configure
ReportedBy TWiki:Main.PeterThoeny
Codebase ~twiki4, 5.1.1, 5.1.0, 5.0.2, 5.0.1, 5.0.0
SVN Range TWiki-5.0.0, Tue, 06 Jul 2010, build 19208
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:19315 TWikirev:19316 TWikirev:20152 TWikirev:20153 TWikirev:20351 TWikirev:20352 TWikirev:23403 TWikirev:23404
TargetRelease patch
ReleasedIn 5.1.2
Edit | Attach | Watch | Print version | History: r18 < r17 < r16 < r15 < r14 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r18 - 2014-01-05 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback