cross
Foswiki General Assembly will be held on 12th December 2019, 1200 UTC on Freenode IRC channel #foswiki-association. See AgendaTenthGeneralAssembly
You are here: Foswiki>Tasks Web>Item13938 (25 Sep 2016, GeorgeClark)Edit Attach

Item13938: Random Taint errors in CGI/Session/Driver/file.pm

pencil
Priority: Normal
Current State: Confirmed
Released In: n/a
Target Release: major
Applies To: Engine
Component: FoswikiSession
Branches:
Reported By: MarkusUeberall
Waiting For:
Last Change By: GeorgeClark
When using mod_perl (engine Foswiki::Engine::Apache2::MP20) together with an apache configuration generated by ApacheConfigGenerator (but with PerlSwitches -wT), accessing FoswikiServerInformation triggers the following taint error:

[Tue Feb 02 14:55:24.279516 2016] [perl:error] [pid 12285:tid 139820147820288] [client 10.0.3.1:37036] Insecure dependency in sysopen while running with -T switch at /var/www/.plenv/versions/5.22.1-ithreads-shrplib/lib/perl5/site_perl/5.22.1/CGI/Session/Driver/file.pm line 107.\n at /var/www/.plenv/versions/5.22.1-ithreads-shrplib/lib/perl5/site_perl/5.22.1/CGI/Session/Driver/file.pm line 107.\n\tCGI::Session::Driver::file::store(CGI::Session::Driver::file=HASH(0x7f2a54c824e8), "324f3c95fd90535bdc64c32f126b97c3", "\\x{4}\\x{a}\\x{8}12345678\\x{4}\\x{8}\\x{8}\\x{8}\\x{3}\\x{8}\\x{0}\\x{0}\\x{0}\\x{6}KC\\x{ad}V\\x{0}\\x{0}\\x{0}\\x{0}\\x{e}\\x{0}\\x{0}\\x{0}_SESSION_CTIME\\x{a} 324f3c95fd90"...) called at /var/www/.plenv/versions/5.22.1-ithreads-shrplib/lib/perl5/site_perl/5.22.1/CGI/Session.pm line 251\n\tCGI::Session::flush(Foswiki::LoginManager::Session=HASH(0x7f2a54c82410)) called at /var/www/apps/foswiki/lib/Foswiki/LoginManager.pm line 727\n\tFoswiki::LoginManager::complete(Foswiki::LoginManager::TemplateLogin=HASH(0x7f2a54bd0528)) called at /var/www/apps/foswiki/lib/Foswiki/LoginManager.pm line 209\n\tFoswiki::LoginManager::finish(Foswiki::LoginManager::TemplateLogin=HASH(0x7f2a54bd0528)) called at /var/www/apps/foswiki/lib/Foswiki/Users.pm line 163\n\tFoswiki::Users::finish(Foswiki::Users=HASH(0x7f2a54829310)) called at /var/www/apps/foswiki/lib/Foswiki.pm line 2522\n\tFoswiki::finish(Foswiki=HASH(0x7f2a5412a5b0)) called at /var/www/apps/foswiki/lib/Foswiki/UI.pm line 501\n\tFoswiki::UI::_execute(Foswiki::Request=HASH(0x55bd7bda0d48), CODE(0x55bd7bda0700), "view", 1) called at /var/www/apps/foswiki/lib/Foswiki/UI.pm line 326\n\tFoswiki::UI::handleRequest(Foswiki::Request=HASH(0x55bd7bda0d48)) called at /var/www/apps/foswiki/lib/Foswiki/Engine/Apache.pm line 91\n\tFoswiki::Engine::Apache::run(Apache2::RequestRec=SCALAR(0x55bd7bd8be70)) called at -e line 0\n\teval {...} called at -e line 0\n

-- MarkusUeberall - 02 Feb 2016

This is caused by an upstream package error. See

We recommend disabling Taint checking if you encounter this error after installing an updated perl. You can resolve this issue through one or more of the following actions:
  • Remove the "-wT" or "-T" flags from any bin or tools scripts.
  • Remove PerlSwitches -wT statement from the Foswiki Apache configuration (when using mod_perl)
  • Comment out the line $ENV{FOSWIKI_ASSERTS} = 1; in bin/LocalLib.cfg
  • Uninstall CPAN:Taint::Runtime (not necessary if you disable FOSWIKI_ASSERTS

You could also temporarily patch the CGI/Session/Driver/file.pm to untaint the path.

--- /disk2/perl5/perlbrew/perls/perl-5.20.2/lib/site_perl/5.20.2/CGI/Session/Driver/file.pm     2015-05-27 19:39:30.000000000 -0400
+++ /usr/share/perl5/CGI/Session/Driver/file.pm 2016-01-26 22:40:50.481316202 -0500
@@ -90,6 +90,7 @@
     my ($sid, $datastr) = @_;
     
     my $path = $self->_file($sid);
+    ($path) = $path =~ m/^(.*)$/;      # untaint the path
     
     # make certain our filehandle goes away when we fall out of scope
     local *FH;

-- MarkusUeberall - 02 Feb 2016

Unfortunately this is an upstream error and after many months, it seems that no fix is forthcoming. The CGI::Session developer has moved on. It may be that the eventual fix for this will be moving away from CGI::Session. The OO Foswiki experimental branch has moved to Plack / PSGI and may have an opportunity to replace CGI::Session with the Plack/PSGI implementation.

-- GeorgeClark - 25 Sep 2016
 

ItemTemplate edit

Summary Random Taint errors in CGI/Session/Driver/file.pm
ReportedBy MarkusUeberall
Codebase 2.1.2, 2.1.1, 2.1.0, 2.1.0 beta1
SVN Range
AppliesTo Engine
Component FoswikiSession
Priority Normal
CurrentState Confirmed
WaitingFor
Checkins
TargetRelease major
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release02x01Checkins
Release02x00Checkins
Release01x01Checkins
Topic revision: r3 - 25 Sep 2016, GeorgeClark - This page was cached on 06 Dec 2019 - 01:39.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy