You are here: Foswiki>Tasks Web>Item11521 (02 Jun 2014, GeorgeClark)Edit Attach

Item11521: Taint problems in perl 5.8.x?

pencil
Priority: Normal
Current State: No Action Required
Released In: 1.2.0
Target Release: minor
Applies To: Engine
Component:
Branches:
Reported By: PaulHarvey
Waiting For:
Last Change By: GeorgeClark
We officially support perl 5.8.8+, but I'm concerned that seeing as none of the core developers are using a perl this old, some taint problems are slipping through the cracks.

Can we get somebody to run a nightly build on a 5.8.8 VM? Without that, this is just going to keep happening...

Tainting problems reported Perls 5.8.x

  • Perl 5.8.9 (though, I think I have reproduced this on perl 5.14 when the working/logs dirs get created in a fresh, not-yet-saved config. the problem 'fixes itself' (mkdir succeeds, as do subsequent config saves))
  • Perl 5.8.5
  • Perl 5.8.8

-- PaulHarvey - 13 Feb 2012

Dear Paul,

I confirm your concern about taint mode problems in perl 5.8.8. I've just upgraded from TWiki 4 to Foswiki 1.1.5 , only to discover that attaching files to a topic (through the bin/upload CGI script) fails.

In FOSWIKI_PATH/working/logs/error.log I noticed this (after MANY hours of debugging): 
| 2012-06-05T13:18:53Z warning | Insecure $ENV{PATH} while running with -T switch at /usr/local/escaux/foswiki/lib/Foswiki/Sandbox.pm line 557.
 at /usr/local/escaux/foswiki/lib/Foswiki/Sandbox.pm line 557
        Foswiki::Sandbox::sysCommand('Foswiki::Sandbox', '/usr/bin/rlog  -h %FILENAME&vbar;F%', 'FILENAME', '/usr/local/escaux/foswiki/data/Main/WikiUsers.txt,v') called at /usr/local/escaux/foswiki/lib/Foswiki/Store/VC/RcsWrapHandler.pm line 358
        Foswiki::Store::VC::RcsWrapHandler::_numRevisions('Foswiki::Store::VC::RcsWrapHandler=HASH(0x11ad6df0)') called at /usr/local/escaux/foswiki/lib/Foswiki/Store/VC/Handler.pm line 242
...

Strange, taint warnings? So I checked the config: 
[root@ict005 foswiki]# grep SafeEnvPath lib/LocalSite.cfg
$Foswiki::cfg{SafeEnvPath} = '/sbin:/usr/sbin:/bin:/usr/bin';

rlog, the binary called earlier, is located in that safe path.

So, I tried this patch, manually setting the $ENV{PATH} and bypassing taint problems. 
[root@ict005 foswiki]# diff bin/upload.orig bin/upload
6a7
>     $ENV{PATH}='/sbin:/usr/sbin:/bin:/usr/bin';

Now attaching of files/upload works flawlessly.

Could this be a problem in my config, or a compatibility issue between perl 5.8.8 and Foswiki?

Some info about the environment: OS: RedHat Enterprise Linux 5.8 (codename Tikanga) , having all the latest updates. Perl: 5.8.8 Extra package repository used: rpmforge

-- BertVermeulen - 05 Jun 2012

I've been occasionally running the unit test suite on Perl 5.8.4, which is the minimum perl for Foswiki 1.1.5. since Item11890. The complete suite runs without taint errors. SafeEnvPath should be being thoroughly untainted in release 1.1.5.

-- GeorgeClark - 05 Jun 2012

George, you are forgetting something important - a distro's Perl is not the same as the real release - and redhat patches things quite often frown, sad smile

perlbrew is nice, but distro perl makes life more complicated frown, sad smile

-- SvenDowideit - 07 Nov 2012

I guess I don't understand the issue. If $Foswiki::cfg{SafeEnvPath} has been set in your LocalSite.cfg, then it should already be untainted and overrides the %ENV{PATH} setting. And if it's not set, Foswiki.pm initialization code explicitly untaints the %ENV{PATH} setting. It's this way in 1.1.4 as well.

-- GeorgeClark - 07 Nov 2012

I'm removing myself from the WaitingFor because I lack the time to work on this. Bert, if you have time, we would appreciate your advice on this bug. Do you think it should block a Foswiki 1.2.0 release? Are you still on perl 5.8?

-- PaulHarvey - 17 Nov 2012 - 02:42

Unfortunately, I'm not in a position to try and reproduce the issue on another RedHat EL 5.8 system due to a lack of licenses. I tried the next best thing: A Foswiki setup on CentOS, which uses the same or very similar software as the RedHat version they're based upon:

* CentOS release 5.8 (Final) * perl 5.8.8 * Foswiki 1.1.5

With this setup, I couldn't reproduce the error: attaching files to a topic went fine, no taint errors were seen in the logfile.

For me personally, this issue is non-blocking. I have a workaround, and any future install of Foswiki will be done on a RedHat 6 with a more recent perl version.

-- BertVermeulen - 17 Mar 2013

I'm marking this as no action required. If anyone recreates this issue. please reopen, and mark it urgent.

-- GeorgeClark - 02 Jun 2014
 

ItemTemplate edit

Summary Taint problems in perl 5.8.x?
ReportedBy PaulHarvey
Codebase 1.1.4, trunk
SVN Range
AppliesTo Engine
Component
Priority Normal
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease minor
ReleasedIn 1.2.0
CheckinsOnBranches
trunkCheckins
Release01x01Checkins
Edit  | Attach | Print version | History: r8 < r7 < r6 < r5 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r8 - 02 Jun 2014, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy