Closed Bug 1089448 Opened 10 years ago Closed 9 years ago

Strawberry Perl throws a "Insecure dependency in sysopen" error when attaching a file

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
5.0.1
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 5.0

People

(Reporter: ebihag, Assigned: LpSolit)

References

(
URL
)

Details

Attachments

(1 file, 1 obsolete file)

patch, v1
714 bytes, patch
gerv
: review+
Details | Diff | Splinter Review
Attached file Error.txt (obsolete) —
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36 Steps to reproduce: Clicked on home, Typed #1 on box and clicked QuickSearch. On Bug#1, I clicked on Add an Attachment. Clicked on Choose File. Took me to the tree, selected a file, went back to same page. Typed something on Description. Clicked on Submit Actual results: Received message from this url: http://harbugrep01/attachment.cgi Software error: Insecure dependency in sysopen while running with -T switch at C:/Perl64/lib/File/Temp.pm line 380. Expected results: Should receive a message that attachment was done sucessfully.
Looks like a bug with your perl installation, or maybe you have custom code. See http://www.bugzilla.org/support for help.
Assignee: general → attach-and-request
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Component: Bugzilla-General → Attachments & Requests
Resolution: --- → WORKSFORME
No custom code was implemented. Any suggestions how to deal w/ but in perl? Would you suggest to uninstall 5.16 and downgrade?
I am having the same issue. I have the latest version of Bugzilla and Perl version 5.16.3 32bit.
Let's reopen it for now, for further investigation. But this is not reproducible for many of us.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
I can reproduce the issue - the common thread between my install and the various opened tickets is a Windows Installation running Strawberry Perl. Other comments seem to be indicating ActiveState Perl is working fine. I can replicate the error consistently when trying to attach a file in this environment: Bugzilla 5.0 OS: Windows Server 2008 R2 Web: Apache 2.4.9 DB: MySQL 5.6.20 Perl: Strawberry Perl 32-bit 5.22
I found the same issue with ActiveState Perl in windows in one of my cloud instance I had installed bugzilla over xaamp.
OK, I can reproduce this problem on Windows 7 using IIS 7.5 and Strawberry Perl 5.22.0 (and Bugzilla 5.0.1).
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Error with attachments : Insecure dependency in sysopen → Strawberry Perl throws a "Insecure dependency in sysopen" error when attaching a file
Version: 4.2.11 → 5.0.1
The problem is that on Windows, $ENV{TMP} and $ENV{TEMP} are both tainted and so are skipped by File::Spec::Win32->tmpdir. File::Temp is then unable to create a temporary file when uploading attachments. This problem has been reported upstream: https://rt.cpan.org/Public/Bug/Display.html?id=60406 But we can fix it on our side pretty easily. Patch coming.
URL: https://rt.cpan.org/Public/Bug/Displa...
Target Milestone: --- → Bugzilla 5.0
Attached patch patch, v1Splinter Review
Assignee: attach-and-request → LpSolit
Attachment #8511771 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8664376 - Flags: review?(gerv)
LpSolit: is there anyone who actually has Windows who can test and review this? Gerv
(In reply to Gervase Markham [:gerv] from comment #12) > LpSolit: is there anyone who actually has Windows who can test and review > this? You mean besides me (comment 9)? Just count the number of _active_ reviewers (dkl, gerv, LpSolit), exclude those who don't have Windows (dkl, gerv), and I think you have your answer. :)
Comment on attachment 8664376 [details] [diff] [review] patch, v1 Review of attachment 8664376 [details] [diff] [review]: ----------------------------------------------------------------- r=gerv. Gerv
Attachment #8664376 - Flags: review?(gerv) → review+
Flags: approval5.0?
Flags: approval5.0? → approval5.0+
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git b92f32d..b8a1ef4 master -> master To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git f7216aa..a326cd5 5.0 -> 5.0
Status: ASSIGNED → RESOLVED
Closed: 10 years ago9 years ago
Resolution: --- → FIXED
This patch did not fix the issue on my installation. Win 2008r2, Apache 2.2, Perl 5.20.2 (ActiveState), Bugzilla 5.0.1, PathTools 3.47
This patch fixed the issue on my installation. Win2008R2, IIS 7.5.7600.16385, ActiveState Perl 5.20.2, Bugzilla 5.0, File::Temp 0.2304. It took me a while to track it down, though, as I had neglected to install the URL Rewrite as the documentation demands.
I am using Bugzilla 5.0.1 on Windows IIS with Strawberry Perl and I still have this issue when adding attachments: "Insecure dependency in sysopen while running with -T switch at C:/Strawberry/perl/lib/File/Temp.pm line 380." Can somebody explain how I can get the patch, because as far as I know I have pulled the latest version from GitHub.
The patch should already be part of 5.0.1, so check if it is in your case. It is available in my 5.0.2, so upgrading once more might be an option as well. If that doesn't change things, check your temporary upload dirs and such, because the patch is simply changing some ENV vars. It might be that in your case the upload goes to another directory for any reason and that might still be tainted, because it's not cvoming from the ENV or such. So you need to debug the issue further.
(In reply to Kevin Turner from comment #18) > "Insecure dependency in sysopen while running with -T switch at > C:/Strawberry/perl/lib/File/Temp.pm line 380." You need 5.0.2 to use Strawberry Perl, not 5.0.1. Anyway, I investigated again, and in some cases $ENV{TEMP} and $ENV{TMP} are not set. In that case, some (older?) versions of CGI.pm fall back to $ENV{WINDIR}, which is tainted. So I added it to the list of environment variables to detaint in case one has such a version of CGI.pm. To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 2e0038d..76fd2f898 master -> master To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 6e6093a..a28da9f 5.0 -> 5.0
I made it work in an "easier way" on my Bugzilla 5.0.1 Installation. I just got the file MIME.pm from Bugzilla 5.0.2 release and I copied it to my installation. My environment is: Bugzilla - 5.0.1 OS: Windows Server 2008 R2 Perl: Strawberry Perl - 5.22.0.1 Web: IIS 7.5.7600 DB: MySQL 5.6.20
Hi Fred, This patch did not work for me. Specifications: Windows 7 - 64 bit OS Bugzilla 5.0.2 Perl 5.22.1 MySQL v5.6.21 Should I do anything different for 5.0.2? Thanks!
Flags: needinfo?(LpSolit)
(In reply to Ananya Joisa from comment #23) > This patch did not work for me. That doesn't help much, because two patches were mentioned already: That one attached and that from Comment 20. Did you try both? If yes, which of the mentioned env vars are available in your web server and to which targets do they point to? Additionally you should look at your CGI.pm for which env vars are actually used when. Start with searching those mentioned in Comment 20 and look if their are some use cases in which others are used.
You should upgrade to 5.0.3. There have been additional commits related to Strawberry Perl.
Flags: needinfo?(LpSolit)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: