Item8229: Error "Insecure dependency in sprintf while running with -T switch"

I get this error after trying to compare the highest 2 revisions of a topic with includes and a table with a few %CALC-functions:

| 2009-08-06T18:56:24Z warning | Insecure dependency in sprintf while running with -T switch at /var/lib/foswiki/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm line 237.
 at /var/lib/foswiki/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm line 237
   Foswiki::Plugins::SpreadSheetPlugin::Calc::doFunc('ERROR: Search pattern not terminated', undef) called at /var/lib/foswiki/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm line 178
   Foswiki::Plugins::SpreadSheetPlugin::Calc::doFunc('MAIN', '$FORMAT\x{0}1( NUMBER, 2, $EVAL\x{0}2( $T\x{0}3(R$ROW\x{0}4(\x{0}4):C4\x{0}3) / $T\x{0}3(...') called at /var/lib/foswiki/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm line 142
   Foswiki::Plugins::SpreadSheetPlugin::Calc::doCalc('ERROR: Search pattern not terminated') called at /var/lib/foswiki/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm line 114
   Foswiki::Plugins::SpreadSheetPlugin::Calc::CALC('---+!! Willkommen im <nop>Diab Web\x{a}\x{a}---++ !TagesBericht erzeu...', 'WebHome', 'Diab', 0, undef) called at /var/lib/foswiki/lib/Foswiki/Plugins/SpreadSheetPlugin.pm line 85
   Foswiki::Plugins::SpreadSheetPlugin::commonTagsHandler('---+!! Willkommen im <nop>Diab Web\x{a}\x{a}---++ !TagesBericht erzeu...', 'WebHome', 'Diab', 0, undef) called at /var/lib/foswiki/lib/Foswiki/Plugin.pm line 273
   Foswiki::Plugin::invoke('Foswiki::Plugin=HASH(0x92e86a8)', 'commonTagsHandler', '---+!! Willkommen im <nop>Diab Web\x{a}\x{a}---++ !TagesBericht erzeu...', 'WebHome', 'Diab', 0, undef) called at /var/lib/foswiki/lib/Foswiki/Plugins.pm line 316
   Foswiki::Plugins::dispatch('Foswiki::Plugins=HASH(0x8fd1a68)', 'commonTagsHandler', '---+!! Willkommen im <nop>Diab Web\x{a}\x{a}---++ !TagesBericht erzeu...', 'WebHome', 'Diab', 0, undef) called at /var/lib/foswiki/lib/Foswiki.pm line 2991
   Foswiki::handleCommonTags('Foswiki=HASH(0x8a79078)', '---+!! %MAKETEXT{"Welcome to the [_1] web" args="<nop>%WEB%"}...', 'Diab', 'WebHome', undef) called at /var/lib/foswiki/lib/Foswiki/Func.pm line 1942
   Foswiki::Func::expandCommonVariables('---+!! %MAKETEXT{"Welcome to the [_1] web" args="<nop>%WEB%"}...', 'WebHome', 'Diab') called at /var/lib/foswiki/lib/Foswiki/Contrib/CompareRevisionsAddOn/Compare.pm line 304
   Foswiki::Contrib::CompareRevisionsAddOn::Compare::_getTree('Foswiki=HASH(0x8a79078)', 'Diab', 'WebHome', 6) called at /var/lib/foswiki/lib/Foswiki/Contrib/CompareRevisionsAddOn/Compare.pm line 104
   Foswiki::Contrib::CompareRevisionsAddOn::Compare::compare('Foswiki=HASH(0x8a79078)') called at /var/lib/foswiki/lib/Foswiki/UI.pm line 299
   Foswiki::UI::__ANON__() called at /usr/share/perl5/Error.pm line 416
   eval {...} called at /usr/share/perl5/Error.pm line 408
   Error::subs::try('CODE(0x8afaa78)', 'HASH(0x97ff2d0)') called at /var/lib/foswiki/lib/Foswiki/UI.pm line 381
   Foswiki::UI::_execute('Foswiki::Request=HASH(0x8dd93a8)', 'CODE(0x8fb0c50)', 'comparing', 1) called at /var/lib/foswiki/lib/Foswiki/UI.pm line 270
   Foswiki::UI::handleRequest('Foswiki::Request=HASH(0x8dd93a8)') called at /var/lib/foswiki/lib/Foswiki/Engine/CGI.pm line 26
   Foswiki::Engine::CGI::run('Foswiki::Engine::CGI=HASH(0x8cd16c8)') called at /usr/lib/cgi-bin/foswiki/compare line 44.

-- WolfgangRaus - 06 Aug 2009

Raising also to urgent as both component are now part of the core, and they have to work together nicely.

-- OlivierRaginel - 06 Aug 2009

We also see this kind of problems with the old rdiff feature.

So the issue is that SpreadSheetPlugin (SSP) and EditTablePlugin to work better under normal view now does a lot of evaluation also in rdiff and compare and the results are often that SSP returns garbage.

When you think about it - the enduser may be better off seeing what actually changed in the SSP CALCs than seeing the results of the CALC.

Showing the word "CALC" instead of the result as we now do in EditTablePlugin when editing a table is not a good solution as it does not show changes in the CALC content.

We should experiment a little to see how it will work simply letting SSP disable itself when you rdiff and compare. Ie change the SSP.

The actual error above "Insecure dependency in sprintf" is a bug in SSP in itself. That taint issue needs to be addressed as a separate bug.

Since both bugs are within SSP I have put this as the only plugin to address in this task. And I agree on the urgentcy for 1.1

Wolfgang. I need an actual example of the topic you use because my errors are different than yours. I need both topic and ,v file.

-- KennethLavrsen - 06 Aug 2009

I had the same problem. Here's a patch which fixed SSP for me:

--- lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm       (revision 4605)
+++ lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm       (working copy)
@@ -242,6 +242,8 @@
         $format =~ s/^\s*(.*?)\s*$/$1/;    #Strip leading and trailing spaces
         $res    =~ s/^\s*(.*?)\s*$/$1/;
         $value  =~ s/^\s*(.*?)\s*$/$1/;
+$res =~ m/^(.*)$/;
+$res = $1;
         if ( $format eq "DOLLAR" ) {
             my $neg = 1 if $value < 0;
             $value = abs($value);

This untaints the $res variable. I only see this on newer perl-5.10 and not on earlier perls. It seems as if perl-5.10 is more pedantic wrt variables being used inside the format parameter of an sprintf...

-- MichaelDaum - 07 Aug 2009

Uploaded the files.

-- WolfgangRaus - 07 Aug 2009

This untaint is present in the trunk codebase and Wolfgang's example works fine for me, so assuming it's closed.

BTW I have seen this before; it appears that since 5.10, a s/// does not untaint.

-- CrawfordCurrie - 07 Jun 2010