Item5796 < Bugs

AppliesTo:	Component:	Priority:	CurrentState:	WaitingFor:	TargetRelease	ReleasedIn
Engine	MailerContrib	Urgent	Closed		patch	4.2.1, 5.0.0

on TWiki 4.2.0, with an updated MailerContrib, and then installing SubscribePlugin and

by adding %<nop>SUBSCRIBE% to a forum topic, you get the following with Perl 5.8.4 (itgoes away when I upgrade the test system to 5.8.4

 # ./view Forum.ForumSandbox0001
Content-type: text/plain

Insecure dependency in eval while running with -T switch at /var/apache2/htdocs/twiki/lib/TWiki/Form.pm line 243.
        TWiki::Form::createField('TWiki::Form=HASH(0x8a378cc)', 'text', 'name', 'Title', 'title', 'Title', 'size', 40, 'value', ...) called at /var/apache2/htdocs/twiki/lib/TWiki/Form.pm line 211
        TWiki::Form::_parseFormDefinition('TWiki::Form=HASH(0x8a378cc)', 'TWiki::Meta=HASH(0x8a384dc)', '---+ Discussion Forum Form\x{a}\x{a}| *Name* | *Type* | *Size* | *Val...') called at /var/apache2/htdocs/twiki/lib/TWiki/Form.pm line 87
        TWiki::Form::new('TWiki::Form', 'TWiki=HASH(0x8294cc8)', 'Forum', 'DiscussionTopicForm') called at /var/apache2/htdocs/twiki/lib/TWiki/Meta.pm line 598
        TWiki::Meta::renderFormForDisplay('TWiki::Meta=HASH(0x86e8e6c)', 'TWiki::Templates=HASH(0x87089bc)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 3795
        TWiki::META('TWiki=HASH(0x8294cc8)', 'TWiki::Attrs=HASH(0x8a37914)', 'ForumSandbox0001', 'Forum', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 2660
        TWiki::_expandTagOnTopicRendering('TWiki=HASH(0x8294cc8)', 'META', '"form"', 'ForumSandbox0001', 'Forum', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 2581
        TWiki::_processTags('TWiki=HASH(0x8294cc8)', ' %IF{"$raw=\'on\'" then=\'<div class="patternSigLine"><span c...', 'CODE(0x82b98a4)', 16, 'ForumSandbox0001', 'Forum', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 2505
        TWiki::expandAllTags('TWiki=HASH(0x8294cc8)', 'SCALAR(0x82c1048)', 'ForumSandbox0001', 'Forum', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki.pm line 2857
        TWiki::handleCommonTags('TWiki=HASH(0x8294cc8)', ' %IF{"$raw=\'on\'" then=\'<div class="patternSigLine"><span c...', 'Forum', 'ForumSandbox0001', 'TWiki::Meta=HASH(0x86e8e6c)') called at /var/apache2/htdocs/twiki/lib/TWiki/UI/View.pm line 396
        TWiki::UI::View::_prepare(' %IF{"$raw=\'on\'" then=\'<div class="patternSigLine"><span c...', 'TWiki=HASH(0x8294cc8)', 'Forum', 'ForumSandbox0001', 'TWiki::Meta=HASH(0x86e8e6c)', 0) called at /var/apache2/htdocs/twiki/lib/TWiki/UI/View.pm line 383
        TWiki::UI::View::view('TWiki=HASH(0x8294cc8)') called at /var/apache2/htdocs/twiki/lib/TWiki/UI.pm line 159
        TWiki::UI::__ANON__() called at /var/apache2/htdocs/twiki/lib/CPAN/lib//Error.pm line 379
        eval {...} called at /var/apache2/htdocs/twiki/lib/CPAN/lib//Error.pm line 371
        Error::subs::try('CODE(0x806d614)', 'HASH(0x86f0b8c)') called at /var/apache2/htdocs/twiki/lib/TWiki/UI.pm line 197
        TWiki::UI::run('CODE(0x8326b94)', 'view', 1) called
TWiki detected an internal error - please check your TWiki logs and webserver logs for more information.

Insecure dependency in eval while running with -T switch

turns out its in MailerContrib::WebNotify::_load() - I've not narrowed it further yet.

Perl 5.8.4 is the Perl distributed in the current version of Solaris 10 :/ so even though its almost as old as the PC :}. its still needed.

-- TWiki:Main/SvenDowideit - 20 Jul 2008

i don't know what to suggest. i don't have a copy of perl 5.8.4, and the fact that this doesn't fail with my 5.8.8 suggests that it's a problem with the perl rather than the contrib.

Need more feedback from a 5.8.4 user who can reproduce the problem.

-- CrawfordCurrie - 21 Jul 2008

Per TWiki:Codev.GeorgetownReleaseMeeting2008x07x21 TWiki:Main.RafaelAlvarez will try and reproduce

Sven is also expected to attempt to fix it as the reporter

-- TWiki:Main.KennethLavrsen - 22 Jul 2008

With the latest version of SubscribePlugin in the Plugins web and the latest version of TWiki4.2 in SVN, I get the following error:

Undefined subroutine &TWiki::Func::registerTagHandler called at /home/twiki/new/ng/lib/TWiki/Plugins/SubscribePlugin.pm

The same happens with the version SVN... I put a "require TWiki::Func" statement at the beginning and it worked. Something must have change d between 4.1.2 and 4.2, because my 4.1.2 installation is working fine.

-- TWiki:Main.RafaelAlvarez - 22 Jul 2008

I manage to reproduce the error with the latest TWiki 4.2.1, SubscribePlugin and MailerContrib in SVN (as of today).

It happens just by "view"ing a topic with the %SUBSCRIBE% tag

-- TWiki:Main.RafaelAlvarez - 22 Jul 2008

coincidentally, I nailed down the problem in Forms.pm. Here is the patch:

Index: Form.pm
===================================================================
--- Form.pm     (revision 17106)
+++ Form.pm     (working copy)
@@ -240,6 +240,7 @@
     my $class = $type;
     $class =~ /^(\w*)/; # cut off +buttons etc
     $class = 'TWiki::Form::'.ucfirst($1);
+       $class=TWiki::Sandbox::untaintUnchecked($class);
     eval 'require '.$class;
     if( $@ ) {
         # Type not available; use base type

if nobody has any objections on it, I'll commit it tomorrow

-- TWiki:Main.RafaelAlvarez - 22 Jul 2008

new patch... I prefer this one (one less method call). Thanks to Babar, Lavr and Peter:


Index: Form.pm
===================================================================
--- Form.pm     (revision 17106)
+++ Form.pm     (working copy)
@@ -239,7 +239,8 @@

     my $class = $type;
     $class =~ /^(\w*)/; # cut off +buttons etc
-    $class = 'TWiki::Form::'.ucfirst($1);
+    my $workaround=$1; #otherwise it will mark $1 as tainted in perl 5.8.4
+    $class = 'TWiki::Form::'.ucfirst($workaround);
     eval 'require '.$class;
     if( $@ ) {
         # Type not available; use base type

-- TWiki:Main.RafaelAlvarez - 22 Jul 2008

Can you put TWiki::Sandbox::untaintUnchecked into the comment? that function was created specifically to be a hinter that there is an attempt to secure user input data. And oneday I hope that we'll analyse and extract them all so that it is done more efficiently.

-- TWiki:Main.SvenDowideit - 23 Jul 2008

http://bugs.debian.org/303308 Looks like a bug in perl 5.8.4. But a really weird one.

-- TWiki:Main.OlivierRaginel - 23 Jul 2008

Commited on 4.2.1

-- TWiki:Main.RafaelAlvarez - 23 Jul 2008

This also happens in the trunk version... I'm in the process of merging the patch.

-- TWiki:Main.RafaelAlvarez - 23 Jul 2008

done

-- TWiki:Main.RafaelAlvarez - 23 Jul 2008

nioce smile -- SvenDowideit - 31 Jul 2008

Cleaned "WaitingFor" field.

-- TWiki:Main.GilmarSantosJr - 10 Aug 2008

ItemTemplate
Summary	SubscribePlugin and perl 5.8.4 exposes a taint issue in the latest MailerContrib
ReportedBy	TWiki:Main.SvenDowideit
Codebase
SVN Range	TWiki-5.0.0, Thu, 17 Jul 2008, build 17046
AppliesTo	Engine
Component	MailerContrib
Priority	Urgent
CurrentState	Closed
WaitingFor
Checkins	TWikirev:17121 TWikirev:17122
TargetRelease	patch
ReleasedIn	4.2.1, 5.0.0

Item5796: SubscribePlugin and perl 5.8.4 exposes a taint issue in the latest MailerContrib

Item Form Data

Edit Form Data

Detail