You are here: Foswiki>Tasks Web>Item691 (09 Jan 2009, KennethLavrsen)Edit Attach

Item691: %ENV is aliased to another variable while running with -T switch

pencil
Priority: Normal
Current State: Closed
Released In: 1.0.0
Target Release: patch
Applies To: Engine
Component: Sandbox
Branches:
Reported By: StefanPalm
Waiting For:
Last Change By: KennethLavrsen
With mod_perl enabled Foswiki fails to display pages randomly when user is authenticated.

Error message is | 07 Jan 2009 - 12:12 | %ENV is aliased to another variable while running with -T switch at /apps/wiki/data/wiki-prd/lib/Foswiki/Sandbox.pm line 480

Found on Solaris10 with Apache/2.2.11 mod_perl/2.0.4 Perl/v5.10.0; reproduceable on Debian 4.0 (Apache/2.2.3 mod_perl/2.0.2 Perl/v5.8.8)

-- StefanPalm

This bug prevented from running any sysCommand under mod_perl.

Reported by user pontius on #foswiki, 6-7 Jan 2009

-- OlivierRaginel - 07 Jan 2009

it also broken the RcsFile unit tests so no release on the 7th.

-- KennethLavrsen - 08 Jan 2009

Some experiments show that the

local @ENV on some perls resets the ENV so for example the rcs ci runs as root and fails.

Sven suggested

local @ENV = @ENV

The unit tests passes with this

So this should be tried by the mod_perl guys with the original problem.

But this could also bring back the issue which seems taint related. Most likely issue is that the $ENV{"PATH"} is tainted. The cure for this would be to untaint this by setting

$ENV{"PATH"} = "some untainted path"

I could suggest this code to try put in the same place where the local @ENV was placed in Sandbox.pm

[root@www foswiki]# svn diff
Index: core/lib/Foswiki/Sandbox.pm
===================================================================
--- core/lib/Foswiki/Sandbox.pm (revision 1849)
+++ core/lib/Foswiki/Sandbox.pm (working copy)
@@ -478,6 +478,16 @@
             open( STDERR, '>', File::Spec->devnull() )
               || die "Can't kill STDERR: '$!'";

+            local %ENV = %ENV;
+            if ( $Foswiki::cfg{SafeEnvPath} ) {
+                $ENV{PATH} = $Foswiki::cfg{SafeEnvPath};
+            }
+            else {
+                # SMELL: how can we validate the PATH?
+                $ENV{PATH} = Foswiki::Sandbox::untaintUnchecked( $ENV{PATH} );
+            }
+            delete @ENV{qw( IFS CDPATH ENV BASH_ENV )};
+
             unless ( exec( $path, @args ) ) {
                 syswrite( STDOUT, $key . ": $!\n" );
                 exit($key);

I would try with this code in mod_perl and if it works we check it in and release.

it passes the unit tests on my machine

-- KennethLavrsen - 08 Jan 2009

Above fix is checked in to ease testing for mod_perl users.

I will revert if it does not work. If confirmed working we release when I wake up.

-- KennethLavrsen - 08 Jan 2009

Fix doesn't solve the problem for me
| 08 Jan 2009 - 06:52 | %ENV is aliased to another variable while running with -T switch at /apps/wiki/data/foswiki-1.0.0/lib/Foswiki/Sandbox.pm line 488

-- StefanPalm - 08 Jan 2009

Sorry about this. The error message was misleading, and I think it's an issue with mod_perl. One shouldn't really fork under mod_perl, thus we should warn users about this. Anyway, the distro:529cedf86fac seems to fix it, and don't break anything.

Downgrading this to normal (as it's fixed) and assigning it to Foswiki:Main.GilmarSantosJr so he can review.

-- OlivierRaginel - 08 Jan 2009

I don't understand yet why this error doesn't happen with other engines (CGI/FastGGI), but I analyzed it and there is no problem in setting $ENV{REMOTE_ADDR} without localizing it first. Anyway, mod_perl already adjusts it (using SetHandler perl-script).

But I'll improve Foswiki::LoginManager::Session, so it can work without the need to set %ENV, thus more robust. There is no problem to release this change with 1.0.1.

-- GilmarSantosJr - 09 Jan 2009

since we now have released 1.0.0 and the we did a fix which was to remove the local %ENV in Session.pm I am closing this report.

If we want to rewrite some of the Session code to be even more robust please do so on a new bug item so we have good configuration management of which bugs were resolved in which releases. This is vital information a year or two from now when people report problems.

-- KennethLavrsen - 09 Jan 2009

ItemTemplate edit

Summary %ENV is aliased to another variable while running with -T switch
ReportedBy StefanPalm
Codebase 1.0.0 beta3, 1.0.0 beta2, 1.0.0 beta1
SVN Range Foswiki-1.0.0-beta3, Fri, 02 Jan 2009, build 1697
AppliesTo Engine
Component Sandbox
Priority Normal
CurrentState Closed
WaitingFor
Checkins distro:6d01404ac72d distro:f2394e70188a distro:f845ba58f23f distro:6756d8ee3b30 distro:529cedf86fac
TargetRelease patch
ReleasedIn 1.0.0
Topic revision: r15 - 09 Jan 2009, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy