Closed Bug 287763 Opened 19 years ago Closed 19 years ago

Receiving Error - Insecure dependency in require...

Categories

(Bugzilla :: Bugzilla-General, defect, P1)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: fgatwork, Assigned: glob)

References

(
URL
)

Details

Attachments

(1 file, 2 obsolete files)

v3
1015 bytes, patch
bugreport
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

Received the following error after upgrading from tip:

Software error:

Insecure dependency in require while running with -T switch at
/usr/lib/perl5/5.8.3/i586-linux-thread-multi/IO/Socket.pm line 22.
Compilation failed in require at /usr/lib/perl5/vendor_perl/5.8.3/Net/LDAP.pm
line 8.
BEGIN failed--compilation aborted at
/usr/lib/perl5/vendor_perl/5.8.3/Net/LDAP.pm line 8.
Compilation failed in require at Bugzilla/Auth/Verify/LDAP.pm line 38.
BEGIN failed--compilation aborted at Bugzilla/Auth/Verify/LDAP.pm line 38.
Compilation failed in require at Bugzilla/Auth.pm line 43.
BEGIN failed--compilation aborted at Bugzilla/Auth.pm line 45.
Compilation failed in require at Bugzilla.pm line 28.
BEGIN failed--compilation aborted at Bugzilla.pm line 28.
Compilation failed in require at Bugzilla/Bug.pm line 38.
BEGIN failed--compilation aborted at Bugzilla/Bug.pm line 38.
Compilation failed in require at CGI.pl line 48.
BEGIN failed--compilation aborted at CGI.pl line 48.


Software error:

[Fri Mar 25 19:42:52 2005] index.cgi: Insecure dependency in require while
running with -T switch at
/usr/lib/perl5/5.8.3/i586-linux-thread-multi/IO/Socket.pm line 22.
[Fri Mar 25 19:42:52 2005] index.cgi: Compilation failed in require at
/usr/lib/perl5/vendor_perl/5.8.3/Net/LDAP.pm line 8.
[Fri Mar 25 19:42:52 2005] index.cgi: BEGIN failed--compilation aborted at
/usr/lib/perl5/vendor_perl/5.8.3/Net/LDAP.pm line 8.
[Fri Mar 25 19:42:52 2005] index.cgi: Compilation failed in require at
Bugzilla/Auth/Verify/LDAP.pm line 38.
[Fri Mar 25 19:42:52 2005] index.cgi: BEGIN failed--compilation aborted at
Bugzilla/Auth/Verify/LDAP.pm line 38.
[Fri Mar 25 19:42:52 2005] index.cgi: Compilation failed in require at
Bugzilla/Auth.pm line 43.
[Fri Mar 25 19:42:52 2005] index.cgi: BEGIN failed--compilation aborted at
Bugzilla/Auth.pm line 45.
[Fri Mar 25 19:42:52 2005] index.cgi: Compilation failed in require at
Bugzilla.pm line 28.
[Fri Mar 25 19:42:52 2005] index.cgi: BEGIN failed--compilation aborted at
Bugzilla.pm line 28.
[Fri Mar 25 19:42:52 2005] index.cgi: Compilation failed in require at
Bugzilla/Bug.pm line 38.
[Fri Mar 25 19:42:52 2005] index.cgi: BEGIN failed--compilation aborted at
Bugzilla/Bug.pm line 38.
[Fri Mar 25 19:42:52 2005] index.cgi: Compilation failed in require at CGI.pl
line 48.
[Fri Mar 25 19:42:52 2005] index.cgi: BEGIN failed--compilation aborted at
CGI.pl line 48.
Compilation failed in require at /admin/Bugzilla/index.cgi line 33.


The system was running fine prior to the upgrade from cvs tip.  

Reproducible: Always

Steps to Reproduce:
1.Upgrade test system to latest cvs tip.
2.Run Bugzilla  :-)
3.Lather, rinse, repeat
You have it configured to use LDAP I assume based on the error messages?

*** Bug 287765 has been marked as a duplicate of this bug. ***
*** Bug 287764 has been marked as a duplicate of this bug. ***
Nope....I have the mod_auth_ldap module loaded as I am using it for another
virtual host on the same apache engine.

And I have successfully used the system since I loaded the ldap module.  It
wasn't until I pulled from the current tip that it blew up on me.
OK, so just to get it straight, you DON'T have Bugzilla configured to use LDAP...

which means something is REALLY broken because Bugzilla shouldn't even be
loading the LDAP modules if that's the case.
In fact, the stack trace there does indeed prove that you *are* using a Bugzilla
with the "verify method" parameter (or whatever it's called) set to LDAP.

What version of Net::LDAP do you have? Does upgrading it help?

I've also seen that IO::Socket error message before; I think it's from having
too old of a version of IO::Socket (as strange as that may sound). What version
of IO::Socket is on that machine? Does upgrading it help?
*** Bug 287926 has been marked as a duplicate of this bug. ***
We've been chasing this as a result of a few manifestations...

Without using LDAP, it shows up as soon as you try to use Net::SMTP (or anything
else that involves IO::Socket

See some of the notes on bug 287926

All you have to do is ....

#!/usr/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#

use strict;
use lib ".";
require "CGI.pl";
use Bugzilla::Config qw(:locations);


use Net::SMTP;
use IO::Socket;


If you skip the use Bugzilla::Config, the problem goes away
If you hack the IO::Socket file (in perl 5.8.0/5.8.1 at least), to change a line
 from....
require IO::Socket::UNIX if ($^O ne 'epoc');
to....
require IO::Socket::UNIX;

the problem also goes away.

It seems like $^O is tainted in a very strange way.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking2.20?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → Bugzilla 2.20
this looks like an issue with File::Spec
(In reply to comment #9)
> this looks like an issue with File::Spec

i retract this.

it's in find_languages..

if you comment out these lines, the taint error goes away:

    my $deft_path = File::Spec->catdir('template', $lang, 'default');
    my $cust_path = File::Spec->catdir('template', $lang, 'custom');
    push(@languages, $lang) if(-d $deft_path or -d $cust_path);

however replacing them with simplified versions restores the error:

    my $deft_path = "template/$lang/default";
    my $cust_path = "template/$lang/custom";
    push(@languages, $lang) if(-d $deft_path or -d $cust_path);


hrm, $lang is tainted, however grep against the readdir protects us.
trict_taint'ing $lang in the foreach (@langdirs) fixes this.

i'm still trying to figure out why.

(In reply to comment #10)
> hrm, $lang is tainted, however grep against the readdir protects us.
> trict_taint'ing $lang in the foreach (@langdirs) fixes this.
> 
> i'm still trying to figure out why.

It's loaded from a file (well, a directory in this case).  Anything loaded from
a data file is tainted.  Note that loading from a data file is different from
executing a file which sets variables (which is what we do with localconfig and
data/params).
> It's loaded from a file (well, a directory in this case).

sorry, i know why $lang is tainted.  what i don't know is why $^O is getting
tainted as a result of $lang's taintness.
Attached patch v1 (obsolete) — Splinter Review 
Assignee: general → bugzilla
Status: NEW → ASSIGNED

        Attachment #179245 -
        Flags: review?

    
  

        Attachment #179245 -
        Flags: review?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v2 (obsolete)
        — Splinter Review
      

    


  
this is a better way of doing it (thanks joel).

        Attachment #179245 -
        Attachment is obsolete: true

        Attachment #179247 -
        Flags: review?

    
  

        Attachment #179247 -
        Flags: review? → review-

    
    

    
  
Comment on attachment 179247 [details] [diff] [review]
v2

oops, meant to clear the review, not deny my own patch.

        Attachment #179247 -
        Flags: review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v3Splinter Review
      

    


  
v2, while pretty, didn't work.

        Attachment #179247 -
        Attachment is obsolete: true

        Attachment #179248 -
        Flags: review?

    
  

        Attachment #179248 -
        Flags: review? → review+

    
  
Flags: approval?
Flags: approval? → approval+

    
    

    
  
Checking in defparams.pl;
/cvsroot/mozilla/webtools/bugzilla/defparams.pl,v  <--  defparams.pl
new revision: 1.157; previous revision: 1.156
done

Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
  
Flags: blocking2.20?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: