Closed Bug 509220 Opened 15 years ago Closed 9 years ago

Malformed UTF-8 characters cause Bugzilla to crash

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 6.0

People

(Reporter: mkanat, Assigned: LpSolit)

References

Details

(Whiteboard: [Bug fixed in Perl 5.12])

To see the problem, insert a comment with the Unicode character 0xFFFF. The comment sometimes will insert okay (depending on how you're doing this) but it will cause Bugzilla to die with a "Malformed UTF-8 character (fatal)" error. This happens whenever a UTF-8 string containing invalid characters is subjected to certain regexes. I'm pretty sure this is a bug in Perl, because it should not have to validate UTF-8 in order to run a regex against it. This is a security issue because anybody can add comments to any bug that they can see, and so you could theoretically DoS Bugzilla with this.
We're running into this on production bmo now. :/
Flags: blocking3.4.5?
Flags: blocking3.2.6?
For example, bug 532384 is now unviewable.
justdave manually fixed 532384 in the database so it could be viewable again.
Max, any idea how to fix this bug?
Well, the problem *is* basically a bug in Perl. There's absolutely no reason we should be hitting it. I looked into fixing the issue when I first filed it. The simplest fix, for most fields, is to modify the js/html filters to remove invalid UTF-8 characters from strings before displaying them. That's somewhat problematic because it happens when you submit the text to certain regexes, so I have no idea if the "html" filter itself wouldn't cause the issue. For comments, I'm pretty sure that this happens before the filtering stage (I think it happens when we wrap the comment). So we'd have to strip the invalid characters before they were put into the database. I have some code around somewhere that does this, but it's extremely tricky because you can't run certain regexes against the string. As I recall, the reason that I didn't post a patch is that it was impractical or impossible for us to fix it in any reliable fashion, and that the bug needs to be fixed in Perl itself.
denying blocking per mkanat's last comment.
Flags: blocking3.4.5?
Flags: blocking3.4.5-
Flags: blocking3.2.6?
Flags: blocking3.2.6-
FYI, I can reproduce the crash with Perl 5.10.1, but not with 5.12.1.
Target Milestone: Bugzilla 3.2 → Bugzilla 3.4
If we can figure out a version of Perl that fixed this and what patch fixed it upstream, maybe I can talk Red Hat into backporting it for RHEL 5, since it essentially is a DoS for web applications... (or maybe I can just backport it myself and deploy a new build here)
RHEL5 has Perl 5.8.8, RHEL6 has Perl 5.10.1. Comment 8 says it's still reproducible in 5.10.1, so we're gonna be stuck with this a while if we don't find a way to backport.
glob and I talked about maintaining a BMO yum repo for custom rpms. If Mozilla has an internal RHN Satellite server, a custom channel could do the same. But a yum repo would be easier. Then a newer version of perl and associated perl dependent packages could be stored. But it might be too much time involved keeping it updated and maintained. dkl
Target Milestone: Bugzilla 3.4 → ---
FYI, a user had this problem with Perl 5.10.0. I asked him to upgrade to Perl 5.12, and now this problem is gone. So this is consistent with what I said in comment 8. :)
Whiteboard: [Bug fixed in Perl 5.12]
Depends on: 740385
FYI, RHEL 7 has Perl 5.16, and it should be released this year. Maybe we could bump our min Perl requirement to 5.12, after all. :)
Several Unicode problems have been fixed in Perl 5.14, and Bugzilla is full of hacks due to older releases. [root@localhost Bugzilla]# trouve 5.13 163: # until we require Perl 5.13.9 or newer. 1311543 48 -rw-r----- 1 root apache 49135 fév 23 15:02 ./Template.pm 1911: # Perl 5.13.8 and older complain about non-characters. 1312366 120 -rw-r----- 1 root apache 120159 fév 23 15:01 ./Search.pm 447: # Perl 5.13.8 and older complain about non-characters. 1311541 20 -rw-r----- 1 root apache 17712 fév 23 15:02 ./Comment.pm 122: version => ($^V >= v5.13.3) ? '1.614' : '1.54' 315: version => ($^V >= v5.13.3) ? '3.67' : '3.40', 1311330 32 -rw-r----- 1 root apache 29931 fév 14 01:59 ./Install/Requirements.pm 3637: # Perl 5.13.8 and older complain about non-characters. 1311540 168 -rw-r----- 1 root apache 170870 fév 23 15:02 ./Bug.pm [root@localhost extensions]# trouve 5.14 485: # but it's only understood since Perl 5.14. So the workaround is to write 1319056 36 -rw-r----- 1 root apache 33976 fév 24 10:31 ./Example/Extension.pm Would you object if we require Perl 5.14 (instead of 5.12) for the next major release? It has been released in May 2011, and all recent Linux distros have it, including RHEL7.
Flags: needinfo?(justdave)
Flags: needinfo?(glob)
(In reply to Frédéric Buclin from comment #15) > Would you object if we require Perl 5.14 (instead of 5.12) for the next > major release? It has been released in May 2011, and all recent Linux > distros have it, including RHEL7. I personally do not have a problem with this new requirement for 6.0. dkl
(In reply to David Lawrence [:dkl] from comment #16) > I personally do not have a problem with this new requirement for 6.0. i concur.
Flags: needinfo?(glob)
(In reply to Frédéric Buclin from comment #15) > Would you object if we require Perl 5.14 (instead of 5.12) for the next > major release? It has been released in May 2011, and all recent Linux > distros have it, including RHEL7. GNOME bugzilla has several unviewable bugs due to the utf-8 problem. Upgrading to RHEL7 to solve this is a non-issue.
Depends on: 1136137
Flags: needinfo?(justdave)
Bugzilla 6.0 now requires Perl 5.14 (bug 1136137). So this bug is no longer an issue there.
Assignee: general → LpSolit
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 6.0

Removing the security flag on this bug as the problem is already public knowledge due to other bugs such as bug 1136137. We will need to backport bug 1136137 to the 5.2 branch, but I'll file a new bug for that.

Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.