Item13938: Random Taint errors in CGI/Session/Driver/file.pm

When using mod_perl (engine Foswiki::Engine::Apache2::MP20) together with an apache configuration generated by ApacheConfigGenerator (but with PerlSwitches -wT), accessing FoswikiServerInformation triggers the following taint error:

[Tue Feb 02 14:55:24.279516 2016] [perl:error] [pid 12285:tid 139820147820288] [client 10.0.3.1:37036] Insecure dependency in sysopen while running with -T switch at /var/www/.plenv/versions/5.22.1-ithreads-shrplib/lib/perl5/site_perl/5.22.1/CGI/Session/Driver/file.pm line 107.\n at /var/www/.plenv/versions/5.22.1-ithreads-shrplib/lib/perl5/site_perl/5.22.1/CGI/Session/Driver/file.pm line 107.\n\tCGI::Session::Driver::file::store(CGI::Session::Driver::file=HASH(0x7f2a54c824e8), "324f3c95fd90535bdc64c32f126b97c3", "\\x{4}\\x{a}\\x{8}12345678\\x{4}\\x{8}\\x{8}\\x{8}\\x{3}\\x{8}\\x{0}\\x{0}\\x{0}\\x{6}KC\\x{ad}V\\x{0}\\x{0}\\x{0}\\x{0}\\x{e}\\x{0}\\x{0}\\x{0}_SESSION_CTIME\\x{a} 324f3c95fd90"...) called at /var/www/.plenv/versions/5.22.1-ithreads-shrplib/lib/perl5/site_perl/5.22.1/CGI/Session.pm line 251\n\tCGI::Session::flush(Foswiki::LoginManager::Session=HASH(0x7f2a54c82410)) called at /var/www/apps/foswiki/lib/Foswiki/LoginManager.pm line 727\n\tFoswiki::LoginManager::complete(Foswiki::LoginManager::TemplateLogin=HASH(0x7f2a54bd0528)) called at /var/www/apps/foswiki/lib/Foswiki/LoginManager.pm line 209\n\tFoswiki::LoginManager::finish(Foswiki::LoginManager::TemplateLogin=HASH(0x7f2a54bd0528)) called at /var/www/apps/foswiki/lib/Foswiki/Users.pm line 163\n\tFoswiki::Users::finish(Foswiki::Users=HASH(0x7f2a54829310)) called at /var/www/apps/foswiki/lib/Foswiki.pm line 2522\n\tFoswiki::finish(Foswiki=HASH(0x7f2a5412a5b0)) called at /var/www/apps/foswiki/lib/Foswiki/UI.pm line 501\n\tFoswiki::UI::_execute(Foswiki::Request=HASH(0x55bd7bda0d48), CODE(0x55bd7bda0700), "view", 1) called at /var/www/apps/foswiki/lib/Foswiki/UI.pm line 326\n\tFoswiki::UI::handleRequest(Foswiki::Request=HASH(0x55bd7bda0d48)) called at /var/www/apps/foswiki/lib/Foswiki/Engine/Apache.pm line 91\n\tFoswiki::Engine::Apache::run(Apache2::RequestRec=SCALAR(0x55bd7bd8be70)) called at -e line 0\n\teval {...} called at -e line 0\n

-- MarkusUeberall - 02 Feb 2016

This is caused by an upstream package error. See

• https://www.mail-archive.com/[email protected]/msg1387295.html
• https://rt.cpan.org/Public/Bug/Display.html?id=80346

We recommend disabling Taint checking if you encounter this error after installing an updated perl. You can resolve this issue through one or more of the following actions:

• Remove the "-wT" or "-T" flags from any bin or tools scripts.
• Remove PerlSwitches -wT statement from the Foswiki Apache configuration (when using mod_perl)
• Comment out the line $ENV{FOSWIKI_ASSERTS} = 1; in bin/LocalLib.cfg
• Uninstall CPAN:Taint::Runtime (not necessary if you disable FOSWIKI_ASSERTS

You could also temporarily patch the CGI/Session/Driver/file.pm to untaint the path.

--- /disk2/perl5/perlbrew/perls/perl-5.20.2/lib/site_perl/5.20.2/CGI/Session/Driver/file.pm     2015-05-27 19:39:30.000000000 -0400
+++ /usr/share/perl5/CGI/Session/Driver/file.pm 2016-01-26 22:40:50.481316202 -0500
@@ -90,6 +90,7 @@
     my ($sid, $datastr) = @_;
     
     my $path = $self->_file($sid);
+    ($path) = $path =~ m/^(.*)$/;      # untaint the path
     
     # make certain our filehandle goes away when we fall out of scope
     local *FH;

-- MarkusUeberall - 02 Feb 2016

Unfortunately this is an upstream error and after many months, it seems that no fix is forthcoming. The CGI::Session developer has moved on. It may be that the eventual fix for this will be moving away from CGI::Session. The OO Foswiki experimental branch has moved to Plack / PSGI and may have an opportunity to replace CGI::Session with the Plack/PSGI implementation.

-- GeorgeClark - 25 Sep 2016

Commenting is disabled while not logged in