Item11521: Taint problems in perl 5.8.x?
Priority: Normal
Current State: No Action Required
Released In: 1.2.0
Target Release: minor
Applies To: Engine
Component:
Branches:
We officially support perl 5.8.8+, but I'm concerned that seeing as none of the core developers are using a perl this old, some taint problems are slipping through the cracks.
Can we get somebody to run a nightly build on a 5.8.8 VM? Without that, this is just going to keep happening...
Tainting problems reported Perls 5.8.x
- Perl 5.8.9 (though, I think I have reproduced this on perl 5.14 when the working/logs dirs get created in a fresh, not-yet-saved config. the problem 'fixes itself' (mkdir succeeds, as do subsequent config saves))
- Perl 5.8.5
- Perl 5.8.8
--
PaulHarvey - 13 Feb 2012
Dear Paul,
I confirm your concern about taint mode problems in perl 5.8.8. I've just upgraded from TWiki 4 to Foswiki 1.1.5 , only to discover that attaching files to a topic (through the bin/upload CGI script) fails.
In FOSWIKI_PATH/working/logs/error.log I noticed this (after MANY hours of debugging):
| 2012-06-05T13:18:53Z warning | Insecure $ENV{PATH} while running with -T switch at /usr/local/escaux/foswiki/lib/Foswiki/Sandbox.pm line 557.
at /usr/local/escaux/foswiki/lib/Foswiki/Sandbox.pm line 557
Foswiki::Sandbox::sysCommand('Foswiki::Sandbox', '/usr/bin/rlog -h %FILENAME&vbar;F%', 'FILENAME', '/usr/local/escaux/foswiki/data/Main/WikiUsers.txt,v') called at /usr/local/escaux/foswiki/lib/Foswiki/Store/VC/RcsWrapHandler.pm line 358
Foswiki::Store::VC::RcsWrapHandler::_numRevisions('Foswiki::Store::VC::RcsWrapHandler=HASH(0x11ad6df0)') called at /usr/local/escaux/foswiki/lib/Foswiki/Store/VC/Handler.pm line 242
...
Strange, taint warnings? So I checked the config:
[root@ict005 foswiki]# grep SafeEnvPath lib/LocalSite.cfg
$Foswiki::cfg{SafeEnvPath} = '/sbin:/usr/sbin:/bin:/usr/bin';
rlog, the binary called earlier, is located in that safe path.
So, I tried this patch, manually setting the $ENV{PATH} and bypassing taint problems.
[root@ict005 foswiki]# diff bin/upload.orig bin/upload
6a7
> $ENV{PATH}='/sbin:/usr/sbin:/bin:/usr/bin';
Now attaching of files/upload works flawlessly.
Could this be a problem in my config, or a compatibility issue between perl 5.8.8 and Foswiki?
Some info about the environment:
OS:
RedHat Enterprise Linux 5.8 (codename Tikanga) , having all the latest updates.
Perl: 5.8.8
Extra package repository used: rpmforge
--
BertVermeulen - 05 Jun 2012
I've been occasionally running the unit test suite on Perl 5.8.4, which is the minimum perl for Foswiki 1.1.5. since
Item11890. The complete suite runs without taint errors.
SafeEnvPath should be being thoroughly untainted in release 1.1.5.
--
GeorgeClark - 05 Jun 2012
George, you are forgetting something important - a distro's Perl is
not the same as the real release - and redhat patches things quite often
perlbrew is nice, but distro perl makes life more complicated
--
SvenDowideit - 07 Nov 2012
I guess I don't understand the issue. If
$Foswiki::cfg{SafeEnvPath}
has been set in your
LocalSite.cfg
, then it should already be untainted and overrides the
%ENV{PATH}
setting. And if it's not set,
Foswiki.pm
initialization code explicitly untaints the
%ENV{PATH}
setting. It's this way in 1.1.4 as well.
--
GeorgeClark - 07 Nov 2012
I'm removing myself from the
WaitingFor because I lack the time to work on this. Bert, if you have time, we would appreciate your advice on this bug. Do you think it should block a Foswiki 1.2.0 release? Are you still on perl 5.8?
--
PaulHarvey - 17 Nov 2012 - 02:42
Unfortunately, I'm not in a position to try and reproduce the issue on another
RedHat EL 5.8 system due to a lack of licenses. I tried the next best thing: A Foswiki setup on
CentOS, which uses the same or very similar software as the
RedHat version they're based upon:
*
CentOS release 5.8 (Final)
* perl 5.8.8
* Foswiki 1.1.5
With this setup, I couldn't reproduce the error: attaching files to a topic went fine, no taint errors were seen in the logfile.
For me personally, this issue is non-blocking. I have a workaround, and any future install of Foswiki will be done on a
RedHat 6 with a more recent perl version.
--
BertVermeulen - 17 Mar 2013
I'm marking this as no action required. If anyone recreates this issue. please reopen, and mark it urgent.
--
GeorgeClark - 02 Jun 2014