Closed Bug 288483 Opened 20 years ago Closed 20 years ago

Internal error on creating attachment. (Tainted)

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: jan.ruzicka, Assigned: jan.ruzicka)

Details

(Whiteboard: [ready for 2.18.1] [does not affect trunk])

Attachments

(2 files, 2 obsolete files)

a stack trace
2.86 KB, text/plain
Details
patch for attachment.cgi #3
960 bytes, patch
bugzilla
: review+
justdave
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: 2.18

Each time I was adding an attachment the result page was showing an error.


Reproducible: Always

Steps to Reproduce:
1. select a bug
2. click on "Create a New Attachment"
3. select a file
4. fill in Description
5. select Content Type
6. click submit

Actual Results:  
a page containing error message.

Expected Results:  
a page containing message about attachment successful submission.

This bug is similar to the bug 204042.
It is in the same subroutine, insert.

Also this bug behaves strange as the attachment is actually inserted into the
database.
Attached patch patch for attachment.cgi (obsolete) — Splinter Review 
using the same change as bug 204042.
Comment on attachment 179190 [details] [diff] [review]
patch for attachment.cgi

Asking for review for you :)
Attachment #179190 - Flags: review?
Attached file a stack trace 
The stack trace was done by adding following change to the attachment.cgi
----------------
 # Include the Bugzilla CGI and general utility library.
 require "CGI.pl";
 
+use Carp qw/confess cluck/;
+$SIG{__WARN__} = \&cluck;
+$SIG{__DIE__} = \&confess;
+
 # Use these modules to handle flags.
 use Bugzilla::Constants;
 use Bugzilla::Flag;
----------------
Comment on attachment 179190 [details] [diff] [review]
patch for attachment.cgi

A few issues: 

detaint_natural() is for numbers, trick_taint() would be used for a string, I
think.

Also, we only detaint_natural() the bugid because we have validated it earlier.
We have not (yet) validated the contenttypemethod, so it may not be safe to do
the trick_taint(). We can either add the trick_taint() in place of your
detaint_natural() anyway (the quick fix), or I would suggest maybe setting
$FORM{contenttypemethod} to a knownn, untainted value in the validateispatch()
and validatecontenttype() routines?
Attachment #179190 - Flags: review? → review-

(In reply to comment #4)
> (From update of attachment 179190 [details] [diff] [review] [edit])
> A few issues: 
> 
> detaint_natural() is for numbers, trick_taint() would be used for a string, I
> think.
> 
> Also, we only detaint_natural() the bugid because we have validated it earlier.

> We have not (yet) validated the contenttypemethod, so it may not be safe to do
> the trick_taint(). We can either add the trick_taint() in place of your
> detaint_natural() anyway (the quick fix), or I would suggest maybe setting
> $FORM{contenttypemethod} to a knownn, untainted value in the validateispatch()
> and validatecontenttype() routines?

it was actually validated earlier validateContentType() is called before the
insert subroutine.

    118   Bugzilla->login(LOGIN_REQUIRED);
    119   ValidateBugID($::FORM{'bugid'});
    120   validateCanChangeBug($::FORM{'bugid'});
    121   ValidateComment($::FORM{'comment'});
    122   validateFilename();
    123   validateIsPatch();
    124   my $data = validateData();
    125   validateDescription();
    126   validateContentType() unless $::FORM{'ispatch'};
    127   validateObsolete() if $::FORM{'obsolete'};
    128   insert($data);
Attached patch patch for attachment.cgi #2 (obsolete) — Splinter Review 
detaint_natural() changed to trick_taint() also added same treetment for
'contenttypemethod'.
Attachment #179190 - Attachment is obsolete: true
Attachment #179223 - Flags: review?
I don't see this problem on the tip.

My suspicion is that it is because the Perl 5.6.0 way of handling tainted data.
The installation in question can't be updated to the latest Perl.
See discussion for bug 204042.

I also do not see this on the tip, or on 2.18. 

Jan, what version of OSX are you on? Is it running perl 5.6.0 which caused the
problems before?

I'm also confused that detainting the contenttypemethod fixes the problem,
because your trace points to something else. The trace looks like it has a
problem with a tainted bugid when sending mail after the attachment is created.
I cannot see anywhere where the contenttypemethod is used where it would need
detainting. Can anyone enlighten me?
I am runing on the OS X server 10.2.something.
I suspect that a tainted element in a hash makes the whole hash tainted.
Attachment #179223 - Flags: review? → review+
Flags: blocking2.20?
Flags: blocking2.18.2?
Flags: approval?
Flags: approval? → approval+
(In reply to comment #10)
> I am runing on the OS X server 10.2.something.
> I suspect that a tainted element in a hash makes the whole hash tainted. 

Bingo.

This is a Perl 5.6.0-only problem, which makes this 2.18-branch only, because we
no longer support Perl 5.6.0 on the tip.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking2.20?
Flags: blocking2.20-
Flags: blocking2.18.2?
Flags: blocking2.18.1+
Flags: approval2.18+
Flags: approval-
Flags: approval+
Whiteboard: [ready for 2.18.1] [does not affect trunk]
Target Milestone: --- → Bugzilla 2.18
Assignee: attach-and-request → jan.ruzicka
Comment on attachment 179223 [details] [diff] [review]
patch for attachment.cgi  #2

runtests.sh fails. Moreover, $contenttype is already defined as
SqlQuote($::FORM{'contenttype'}) so maybe the code could be simplified a bit.
Attachment #179223 - Flags: review-
Fixed the $contenttype redefinition as pointed out by Frédéric Buclin.

I am not sure if the if the SqlQuote($::FORM{'contenttype'}) is appropriate for

 $template->process(), so that part remains the same.
Attachment #179223 - Attachment is obsolete: true
Attachment #179841 - Flags: review?
Attachment #179841 - Flags: review? → review?(LpSolit)
Comment on attachment 179841 [details] [diff] [review]
patch for attachment.cgi #3

I'm too busy right now to check this.
Attachment #179841 - Flags: review?(LpSolit) → review?
(In reply to comment #13)
> I am not sure if the if the SqlQuote($::FORM{'contenttype'}) is appropriate for
> 
>  $template->process(), so that part remains the same.

Neither contenttype or contenttypemethod fields are used in the process() call,
so it it is fine as it is now.
Comment on attachment 179841 [details] [diff] [review]
patch for attachment.cgi #3

Yes, this is better. runtests is OK now. (sorry for only
reviewing-by-inspecting before :(
Attachment #179841 - Flags: review? → review+
(In reply to comment #15)
> Neither contenttype or contenttypemethod fields are used in the process() call,
> so it it is fine as it is now.

GavinS, so what do you mean? Does it hurt if:

$vars->{'contenttype'} = SqlQuote($::FORM{'contenttype'}); ?

If yes, then remove your r+ and read my comment 12. Else keep your r+. ;)
Status: NEW → ASSIGNED
(In reply to comment #17)
> (In reply to comment #15)
> > Neither contenttype or contenttypemethod fields are used in the process() call,
> > so it it is fine as it is now.
> 
> GavinS, so what do you mean? Does it hurt if:
> 
> $vars->{'contenttype'} = SqlQuote($::FORM{'contenttype'}); ?
> 
> If yes, then remove your r+ and read my comment 12. Else keep your r+. ;)
> 

Just to re-cap, I think that this patch (now the runtests.sh issue is fixed)
just trick_taint()s the 2 values we need it to, and does not add or remove any
SQLQuoting().

[When I said 'not used', I was not 100% accurate, sorry :( They _are_ used, but
only to display a value to the user, not for any other purpose.]

My understanding is that it would not break anything if $vars->{'contenttype'}
was SQLQuoted. This is because the contenttype value in %FORM is only used in
the template process() if we autodetected the attachment type, and then only
used to display the auto-detected value to the user.

Strictly speaking, I think it would probably be better to display the
autodetected value rather than the SQLQuoted() version. (Which is what we did
before, and still do now anyway)
 
I'm fine with asking someone else for a 2nd review, if you want...
Attachment #179841 - Flags: review?
Comment on attachment 179841 [details] [diff] [review]
patch for attachment.cgi #3

Looks good to me.

I note some comments about "we can remove this is we require 5.6.1 or newer",
maybe we should do that on the tip (but it's probably another bug)
Attachment #179841 - Flags: review? → review+
Comment on attachment 179841 [details] [diff] [review]
patch for attachment.cgi #3

>+  my $contenttypemethod = $::FORM{'contenttypemethod'};
>+  trick_taint($contenttypemethod); # Same Perl 5.6.0 hack as above
>+  $contenttype = $::FORM{'contenttype'};

  You know, I don't know why we're re-using the $contenttype variable here, at
all. It's used all over the place in this file, and I don't have any idea what
the consequences of modifying it here are. Couldn't we just make a
$form_content_type variable, to be safe? After all, it's just a hack for the
branch.
(In reply to comment #20)
>   You know, I don't know why we're re-using the $contenttype variable here 
> [snip]

  Oh, nevermind this comment. :-) Everything is fine, the block ends right after
that. :-)
2.18:

Checking in attachment.cgi;
/cvsroot/mozilla/webtools/bugzilla/attachment.cgi,v  <--  attachment.cgi
new revision: 1.58.2.4; previous revision: 1.58.2.3
done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: