Strawberry Perl throws a "Insecure dependency in sysopen" error when attaching a file

RESOLVED FIXED in Bugzilla 5.0

Status

()

Bugzilla
Attachments & Requests
--
major
RESOLVED FIXED
3 years ago
11 months ago

People

(Reporter: ebihag, Assigned: Frédéric Buclin)

Tracking

5.0.1
Bugzilla 5.0
Bug Flags:
approval5.0 +

Details

(URL)

Attachments

(1 attachment, 1 obsolete attachment)

714 bytes, patch
gerv
: review+
Details | Diff | Splinter Review
(Reporter)

Description

3 years ago
Created attachment 8511771 [details]
Error.txt

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36

Steps to reproduce:

Clicked on home, Typed #1 on box and clicked QuickSearch.  On Bug#1, I clicked on Add an Attachment.  Clicked on Choose File.  Took me to the tree, selected a file, went back to same page.  Typed something on Description.  Clicked on Submit


Actual results:

Received message from this url: 
http://harbugrep01/attachment.cgi 

Software error:
Insecure dependency in sysopen while running with -T switch at C:/Perl64/lib/File/Temp.pm line 380.


Expected results:

Should receive a message that attachment was done sucessfully.
(Assignee)

Comment 1

3 years ago
Looks like a bug with your perl installation, or maybe you have custom code. See http://www.bugzilla.org/support for help.
Assignee: general → attach-and-request
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Component: Bugzilla-General → Attachments & Requests
Resolution: --- → WORKSFORME

Comment 2

3 years ago
No custom code was implemented.  Any suggestions how to deal w/ but in perl?  Would you suggest to uninstall 5.16 and downgrade?

Comment 3

3 years ago
See http://www.bugzilla.org/support for help.

Comment 4

3 years ago
I am having the same issue. I have the latest version of Bugzilla and Perl version 5.16.3 32bit.
(Assignee)

Updated

2 years ago
Duplicate of this bug: 1150072
(Assignee)

Comment 6

2 years ago
Let's reopen it for now, for further investigation. But this is not reproducible for many of us.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---

Comment 7

2 years ago
I can reproduce the issue - the common thread between my install and the various opened tickets is a Windows Installation running Strawberry Perl.  Other comments seem to be indicating ActiveState Perl is working fine.

I can replicate the error consistently when trying to attach a file in this environment:

Bugzilla 5.0
OS: Windows Server 2008 R2
Web: Apache 2.4.9
DB: MySQL 5.6.20
Perl: Strawberry Perl 32-bit 5.22

Comment 8

2 years ago
I found the same issue with ActiveState Perl in windows in one of my cloud instance
I had installed bugzilla over xaamp.
(Assignee)

Comment 9

2 years ago
OK, I can reproduce this problem on Windows 7 using IIS 7.5 and Strawberry Perl 5.22.0 (and Bugzilla 5.0.1).
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Error with attachments : Insecure dependency in sysopen → Strawberry Perl throws a "Insecure dependency in sysopen" error when attaching a file
Version: 4.2.11 → 5.0.1
(Assignee)

Comment 10

2 years ago
The problem is that on Windows, $ENV{TMP} and $ENV{TEMP} are both tainted and so are skipped by File::Spec::Win32->tmpdir. File::Temp is then unable to create a temporary file when uploading attachments.

This problem has been reported upstream:

https://rt.cpan.org/Public/Bug/Display.html?id=60406

But we can fix it on our side pretty easily. Patch coming.
Target Milestone: --- → Bugzilla 5.0
(Assignee)

Comment 11

2 years ago
Created attachment 8664376 [details] [diff] [review]
patch, v1
Assignee: attach-and-request → LpSolit
Attachment #8511771 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8664376 - Flags: review?(gerv)
LpSolit: is there anyone who actually has Windows who can test and review this?

Gerv
(Assignee)

Comment 13

2 years ago
(In reply to Gervase Markham [:gerv] from comment #12)
> LpSolit: is there anyone who actually has Windows who can test and review
> this?

You mean besides me (comment 9)? Just count the number of _active_ reviewers (dkl, gerv, LpSolit), exclude those who don't have Windows (dkl, gerv), and I think you have your answer. :)
Comment on attachment 8664376 [details] [diff] [review]
patch, v1

Review of attachment 8664376 [details] [diff] [review]:
-----------------------------------------------------------------

r=gerv.

Gerv
Attachment #8664376 - Flags: review?(gerv) → review+
(Assignee)

Updated

2 years ago
Flags: approval5.0?

Updated

2 years ago
Flags: approval5.0? → approval5.0+
(Assignee)

Comment 15

2 years ago
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   b92f32d..b8a1ef4  master -> master

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   f7216aa..a326cd5  5.0 -> 5.0
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago2 years ago
Resolution: --- → FIXED

Comment 16

2 years ago
This patch did not fix the issue on my installation. Win 2008r2, Apache 2.2, Perl 5.20.2 (ActiveState), Bugzilla 5.0.1, PathTools 3.47

Comment 17

2 years ago
This patch fixed the issue on my installation.  Win2008R2, IIS 7.5.7600.16385, ActiveState Perl 5.20.2, Bugzilla 5.0, File::Temp 0.2304.  It took me a while to track it down, though, as I had neglected to install the URL Rewrite as the documentation demands.

Comment 18

2 years ago
I am using Bugzilla 5.0.1 on Windows IIS with Strawberry Perl and I still have this issue when adding attachments:

"Insecure dependency in sysopen while running with -T switch at C:/Strawberry/perl/lib/File/Temp.pm line 380."

Can somebody explain how I can get the patch, because as far as I know I have pulled the latest version from GitHub.

Comment 19

2 years ago
The patch should already be part of 5.0.1, so check if it is in your case. It is available in my 5.0.2, so upgrading once more might be an option as well.

If that doesn't change things, check your temporary upload dirs and such, because the patch is simply changing some ENV vars. It might be that in your case the upload goes to another directory for any reason and that might still be tainted, because it's not cvoming from the ENV or such.

So you need to debug the issue further.
(Assignee)

Comment 20

2 years ago
(In reply to Kevin Turner from comment #18)
> "Insecure dependency in sysopen while running with -T switch at
> C:/Strawberry/perl/lib/File/Temp.pm line 380."

You need 5.0.2 to use Strawberry Perl, not 5.0.1.

Anyway, I investigated again, and in some cases $ENV{TEMP} and $ENV{TMP} are not set. In that case, some (older?) versions of CGI.pm fall back to $ENV{WINDIR}, which is tainted. So I added it to the list of environment variables to detaint in case one has such a version of CGI.pm.

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   2e0038d..76fd2f898 master -> master

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   6e6093a..a28da9f  5.0 -> 5.0

Comment 21

2 years ago
I made it work in an "easier way" on my Bugzilla 5.0.1 Installation.

I just got the file MIME.pm from Bugzilla 5.0.2 release and I copied it to my installation.

My environment is:

Bugzilla - 5.0.1

OS:   Windows Server 2008 R2
Perl: Strawberry Perl -  5.22.0.1
Web:  IIS 7.5.7600
DB:   MySQL 5.6.20
(Assignee)

Updated

2 years ago
Duplicate of this bug: 1252977

Comment 23

a year ago
Hi Fred,

This patch did not work for me. Specifications:
Windows 7 - 64 bit OS
Bugzilla 5.0.2 
Perl 5.22.1
MySQL  v5.6.21

Should I do anything different for 5.0.2? Thanks!
Flags: needinfo?(LpSolit)
(In reply to Ananya Joisa from comment #23)
> This patch did not work for me.

That doesn't help much, because two patches were mentioned already: That one attached and that from Comment 20. Did you try both? If yes, which of the mentioned env vars are available in your web server and to which targets do they point to? Additionally you should look at your CGI.pm for which env vars are actually used when. Start with searching those mentioned in Comment 20 and look if their are some use cases in which others are used.
(Assignee)

Comment 25

a year ago
You should upgrade to 5.0.3. There have been additional commits related to Strawberry Perl.
Flags: needinfo?(LpSolit)
(Assignee)

Updated

11 months ago
Duplicate of this bug: 1302368
You need to log in before you can comment on or make changes to this bug.