Closed
Bug 416382
Opened 16 years ago
Closed 16 years ago
Adding an attachment with Perl 5.10 and CGI.pm < 3.33 throws a taint error
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.0
People
(Reporter: ben.vandermerwe, Assigned: LpSolit)
Details
Attachments
(1 file)
|
1.86 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Build Identifier: Bugzilla 3.0.3 gives Insecure dependency in sprintf error from attachment.cgi If a user logs into Bugzilla, it works fine. But trying to attach anything to a case results in a server error. If there is any work around or perl flag or option that can be set, that would be wonderful! Thanks. Currently out Bugzilla is pretty much dead in the water. The Apache error.log contains this: [Fri Feb 08 09:50:13 2008] [error] [client 10.4.0.19] Premature end of script headers: attachment.cgi, referer: http://10.4.1.7:5556/attachment.cgi?bugid=806&action=enter [Fri Feb 08 09:50:13 2008] [error] [client 10.4.0.19] Insecure dependency in sprintf while running with -T switch at (eval 42) line 6., referer: http://10.4.1.7:5556/attachment.cgi?bugid=806&action=enter The server is running: MySQL 5.0.51 Perl v5.10.0.1002 Apache 2.2.8 PHP5.2.5 Bugzilla 3.0.3 Windows XP SP2 perl checksetup.pl gives: * This is Bugzilla 3.0.3 on perl 5.10.0 * Running on WinXP/.Net Build 2600 (Service Pack 2) Checking perl modules... Checking for CGI (v2.93) ok: found v3.29 Checking for TimeDate (v2.21) ok: found v2.22 Checking for DBI (v1.41) ok: found v1.601 Checking for PathTools (v0.84) ok: found v3.2501 Checking for Template-Toolkit (v2.12) ok: found v2.19 Checking for Email-Send (v2.16) ok: found v2.192 Checking for Email-MIME-Modifier (any) ok: found v1.442 Checking available perl DBD modules... Checking for DBD-Pg (v1.45) not found Checking for DBD-mysql (v2.9003) ok: found v4.005 The following Perl modules are optional: Checking for GD (v1.20) ok: found v2.35 Checking for Template-GD (any) not found Checking for Chart (v1.0) not found Checking for GDGraph (any) ok: found v1.44 Checking for GDTextUtil (any) ok: found v0.86 Checking for XML-Twig (any) ok: found v3.32 Checking for MIME-tools (v5.406) ok: found v5.425 Checking for libwww-perl (any) ok: found v2.036 Checking for PatchReader (v0.9.4) ok: found v0.9.5 Checking for PerlMagick (any) not found Checking for perl-ldap (any) ok: found v0.34 Checking for SOAP-Lite (any) ok: found v0.69 Checking for HTML-Parser (v3.40) ok: found v3.56 Checking for HTML-Scrubber (any) ok: found v0.08 Checking for Email-MIME-Attachment-Stripper (any) not found Checking for Email-Reply (any) ok: found v1.202 Checking for mod_perl (v1.999022) not found Checking for CGI (v3.11) ok: found v3.29 * NOTE: You must run any commands listed below as Administrator. *********************************************************************** * Note For Windows Users * *********************************************************************** * In order to install the modules listed below, you first have to run * * the following command as an Administrator: * * * * ppm repo add theory58S http://theoryx5.uwinnipeg.ca/ppms * * * * Then you have to do (also as an Administrator): * * * * ppm repo up theory58S * * * * Do that last command over and over until you see "theory58S" at the * * top of the displayed list. * *********************************************************************** ********************************************************************** * OPTIONAL MODULES * ********************************************************************** * Certain Perl modules are not required by Bugzilla, but by * * installing the latest version you gain access to additional * * features. * * * * The optional modules you do not have installed are listed below, * * with the name of the feature they enable. If you want to install * * one of these modules, just run the appropriate command in the * * "COMMANDS TO INSTALL" section. * ********************************************************************** *********************************************************************** * MODULE NAME * ENABLES FEATURE(S) * *********************************************************************** * Template-GD * Graphical Reports * * Email-MIME-Attachment-Stripper * Inbound Email * * Chart * New Charts, Old Charts * * PerlMagick * Optionally Convert BMP Attachments to PNGs * * mod_perl * mod_perl * *********************************************************************** COMMANDS TO INSTALL: Template-GD: ppm install Template-GD Email-MIME-Attachment-Stripper: ppm install Email-MIME-Attachment-Stripper Chart: ppm install Chart PerlMagick: ppm install PerlMagick mod_perl: ppm install mod_perl Reading ./localconfig... OPTIONAL NOTE: If you want to be able to use the 'difference between two patches' feature of Bugzilla (which requires the PatchReader Perl module as well), you should install patchutils from: http://cyberelk.net/tim/patchutils/ The following variables are no longer used in ./localconfig, and should be removed: severities, platforms, opsys, priorities Checking for DBD-mysql (v2.9003) ok: found v4.005 Checking for MySQL (v4.1.2) ok: found v5.0.51a-community-nt Removing existing compiled templates ... Precompiling templates... Reproducible: Always Steps to Reproduce: 1. User goes to a bug in Bugzilla and clicks "Add Attachment" 2. He fills in the details and clicks "submit. Actual Results: He web browser shows this: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator,xxx@xxxx and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Expected Results: Attachment should be added successfully. I am pretty much running the latest stable releases of all the software, as listed above. I have googles and there are some other reports about the same type of Insecure error popping up in 3.01 in other places.. Any sort of work around would be apprecaited. Is there a way to turn this off?
Summary: Trying to attach bug gives Insecure dependency in sprintf while running with -T switch at (eval 42) line 6., referer: http://10.4.1.7:5556/attachment.cgi?bugid=806&action=enter → Trying to add bug attachment gives Insecure dependency in sprintf while running with -T switch at (eval 42) line 6., referer: http: ... attachment.cgi?bugid=806&action=enter
|
||
Comment 1•16 years ago
|
||
I can see this, too. I suspect Perl 5.10.0 -- can you downgrade to Perl 5.8.x?
Migrating back down to Perl 5.8.8 resolved this problem. Thank you kindly Marc! At least now there is a known work around!
|
|
||
Comment 3•16 years ago
|
||
Tracked at http://rt.perl.org/rt3//Public/Bug/Display.html?id=50322 (from support-bugzilla@).
|
|
||
Comment 4•16 years ago
|
||
We may need to blacklist certain version combinations of Perl and the CGI module. Requesting blocking to get this into the release notes or minimum requirements list.
Flags: blocking3.2?
Flags: blocking3.0.4?
|
||
Comment 5•16 years ago
|
||
Yes, this is a known problem with CGI.pm and Perl 5.10 on versions of CGI.pm less than 3.33 (the very latest): http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2008-01/msg01376.html
Severity: critical → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking3.2?
Flags: blocking3.2+
Flags: blocking3.0.4?
Flags: blocking3.0.4+
OS: Windows XP → All
Hardware: PC → All
Summary: Trying to add bug attachment gives Insecure dependency in sprintf while running with -T switch at (eval 42) line 6., referer: http: ... attachment.cgi?bugid=806&action=enter → Adding an attachment with Perl 5.10 and CGI.pm < 3.33 throws a taint errorTrying to add bug attachment gives Insecure dependency in sprintf while running with -T switch at (eval 42) line 6., referer: http: ... attachment.cgi?bugid=806&action=enter
Target Milestone: --- → Bugzilla 3.0
|
Assignee | |
Comment 6•16 years ago
|
||
(In reply to comment #1) > I can see this, too. I suspect Perl 5.10.0 -- can you downgrade to Perl 5.8.x? I should try again, but I don't remember having problem with Perl 5.10.0 and CGI.pm 3.29 (what a pity I rebooted on Linux right now, I cannot test again).
|
|
||
Updated•16 years ago
|
Summary: Adding an attachment with Perl 5.10 and CGI.pm < 3.33 throws a taint errorTrying to add bug attachment gives Insecure dependency in sprintf while running with -T switch at (eval 42) line 6., referer: http: ... attachment.cgi?bugid=806&action=enter → Adding an attachment with Perl 5.10 and CGI.pm < 3.33 throws a taint error
|
|
||
Comment 7•16 years ago
|
||
(In reply to comment #6) > I should try again, but I don't remember having problem with Perl 5.10.0 and > CGI.pm 3.29 (what a pity I rebooted on Linux right now, I cannot test again). You might have to try uploading something large enough that CGI.pm tries to use a temp file instead of storing it in memory. I don't know what the size limit is for that.
|
|
Assignee | |
Comment 8•16 years ago
|
||
(In reply to comment #4) > We may need to blacklist certain version combinations of Perl and the CGI > module. Requesting blocking to get this into the release notes or minimum > requirements list. We shouldn't blacklist anything. CGI.pm 3.33, the latest currently available, still hasn't this fix: http://search.cpan.org/src/LDS/CGI.pm-3.33/Changes The maintainer said he would include the fix on January 30, but 3.33 has been released on January 3rd. So blacklisting CGI.pm 3.33 and older means to forbid Perl 5.10. We should rather relnote it.
|
||
Comment 9•16 years ago
|
||
Following is the result of checksetup.pl command: C:\>cd c:\bugzilla C:\Bugzilla>perl checksetup.pl * This is Bugzilla 3.0.2 on perl 5.8.8 * Running on Win2003 Build 3790 (Service Pack 2) Checking perl modules... Checking for CGI (v2.93) ok: found v3.29 Checking for TimeDate (v2.21) ok: found v2.22 Checking for DBI (v1.41) ok: found v1.58 Checking for PathTools (v0.84) ok: found v3.25 Checking for Template-Toolkit (v2.12) ok: found v2.15 Checking for Email-Send (v2.16) ok: found v2.185 Checking for Email-MIME-Modifier (any) ok: found v1.442 Checking available perl DBD modules... Checking for DBD-Pg (v1.45) not found Checking for DBD-mysql (v2.9003) ok: found v3.0002 The following Perl modules are optional: Checking for GD (v1.20) ok: found v2.16 Checking for Template-GD (any) ok: found v1.56 Checking for Chart (v1.0) ok: found v2.3 Checking for GDGraph (any) ok: found v1.43 Checking for GDTextUtil (any) ok: found v0.86 Checking for XML-Twig (any) ok: found v3.26 Checking for MIME-tools (v5.406) ok: found v5.411 Checking for libwww-perl (any) ok: found v2.036 Checking for PatchReader (v0.9.4) ok: found v0.9.5 Checking for PerlMagick (any) not found Checking for perl-ldap (any) ok: found v0.34 Checking for SOAP-Lite (any) ok: found v0.55 Checking for HTML-Parser (v3.40) ok: found v3.56 Checking for HTML-Scrubber (any) ok: found v0.08 Checking for Email-MIME-Attachment-Stripper (any) ok: found v1.313 Checking for Email-Reply (any) ok: found v1.202 Checking for mod_perl (v1.999022) not found Checking for CGI (v3.11) ok: found v3.29 Checking for Apache-DBI (v0.96) not found * NOTE: You must run any commands listed below as Administrator. *********************************************************************** * Note For Windows Users * *********************************************************************** * In order to install the modules listed below, you first have to run * * the following command as an Administrator: * * * * ppm repo add theory58S http://theoryx5.uwinnipeg.ca/ppms * * * * Then you have to do (also as an Administrator): * * * * ppm repo up theory58S * * * * Do that last command over and over until you see "theory58S" at the * * top of the displayed list. * *********************************************************************** ********************************************************************** * OPTIONAL MODULES * ********************************************************************** * Certain Perl modules are not required by Bugzilla, but by * * installing the latest version you gain access to additional * * features. * * * * The optional modules you do not have installed are listed below, * * with the name of the feature they enable. If you want to install * * one of these modules, just run the appropriate command in the * * "COMMANDS TO INSTALL" section. * ********************************************************************** *********************************************************************** * MODULE NAME * ENABLES FEATURE(S) * *********************************************************************** * PerlMagick * Optionally Convert BMP Attachments to PNGs * * mod_perl * mod_perl * * Apache-DBI * mod_perl * *********************************************************************** COMMANDS TO INSTALL: PerlMagick: ppm install PerlMagick mod_perl: ppm install mod_perl Apache-DBI: ppm install Apache-DBI Reading ./localconfig... OPTIONAL NOTE: If you want to be able to use the 'difference between two patches' feature of Bugzilla (which requires the PatchReader Perl module as well), you should install patchutils from: http://cyberelk.net/tim/patchutils/ Checking for DBD-mysql (v2.9003) ok: found v3.0002 Checking for MySQL (v4.1.2) ok: found v5.0.37-community-nt Removing existing compiled templates ... Precompiling templates... C:\Bugzilla> I am using IIS. Still I am getting this error. Please suggest.
|
|
Assignee | |
Comment 10•16 years ago
|
||
(In reply to comment #8) > We shouldn't blacklist anything. CGI.pm 3.33, the latest currently available, > still hasn't this fix: > > http://search.cpan.org/src/LDS/CGI.pm-3.33/Changes Interesting enough, the URL above doesn't mention this fix in 3.33, but the one below does, for 3.33: http://search.cpan.org/src/LDS/CGI.pm-3.35/Changes As CGI.pm 3.35 has been released, it's now fine to require 3.33 or better with Perl 5.10.
|
|
Assignee | |
Comment 11•16 years ago
|
||
Make sure CGI 3.33 or better is available when running Perl 5.10 or higher.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #314066 -
Flags: review?(wurblzap)
Attachment #314066 -
Flags: review?(mkanat)
|
|
||
Comment 12•16 years ago
|
||
Comment on attachment 314066 [details] [diff] [review] patch, v1 I think: eval { require 5.10 } would be simpler than that vers_cmp check.
|
|
Assignee | |
Comment 13•16 years ago
|
||
(In reply to comment #12) > eval { require 5.10 } would be simpler than that vers_cmp check. Bah, let's avoid eval {} when we can. And the syntax used in the patch is already used elsewhere. :)
|
|
Assignee | |
Comment 14•16 years ago
|
||
Oh, and it wouldn't be simpler as you would have to check $@, making the code even bigger.
|
|
||
Comment 15•16 years ago
|
||
Comment on attachment 314066 [details] [diff] [review] patch, v1 Okay, that looks fine to me, then. :-)
Attachment #314066 -
Flags: review?(mkanat) → review+
|
|
||
Updated•16 years ago
|
Flags: approval3.0+
Flags: approval+
|
|
Assignee | |
Updated•16 years ago
|
Attachment #314066 -
Flags: review?(wurblzap)
|
|
Assignee | |
Comment 16•16 years ago
|
||
tip: Checking in Bugzilla/Install/Requirements.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Install/Requirements.pm,v <-- Requirements.pm new revision: 1.45; previous revision: 1.44 done 3.0.3: Checking in Bugzilla/Install/Requirements.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Install/Requirements.pm,v <-- Requirements.pm new revision: 1.29.2.4; previous revision: 1.29.2.3 done
|
|
||
Comment 17•16 years ago
|
||
I'm not sure this was relnoted for 3.0.4, but we released it a while ago, so removing relnote keyword.
Keywords: relnote
|
|
Assignee | |
Comment 18•16 years ago
|
||
No, we didn't relnote it when releasing 3.0.4 (which wasn't released that long ago).
You need to log in
before you can comment on or make changes to this bug.
Description
•