Hi David,
sorry, I forgot to answer you: The patch you provided works fine
(except for a missing ";" in Lock.pm).
I think, the activation of the taint mode is related to the use of
the fcgi-wrapper in a recent distribution: On our machine, `man
perlsec` tells me, that tainted mode is activeted automatically,
"when it detects its program running with differing real and
effective user or group IDs".
Nevertheless, if you did not already submit the patch, you should do
it now :-)
Thanks for your help,
Olaf Menkens.
P.S.: My sympa upgrade project was postponed for some months, but
now it is actually finished and the new server works fine.
Am 26.08.2011 11:58, schrieb David Verdin:
Better with the patch actually attached...
Le 26/08/11 11:54, David Verdin a écrit :
Hi,
I think the activation of the taint mode could be related to
your particular perl version or configuration.
However, as you use a recent OS, we could expect this behaviour
to spread around, so we better be ready for it.
Could you please apply the patch attached to this mail and let
me know if this fixes the problem? I basically tried an
operation which should untaint the file names. I did it because
I suspect these variables were tainted only because they were
passed as argument to a function. They don't really come from
outside of the program but from an other part of this program
and their value was originally computed by the program, not
user-provided.
Anyway, we need these subs, so we'd better find a way to make
them work.
Regards,
David
Le 23/08/11 23:30, Olaf Menkens a écrit :
Hello
Omen,
I had the same problem here with my sympa 6.1.6 installation,
I'm currently trying to set up (cross upgrading to a new -
currently testing - machine from an old sympa 5.1.2).
Google teached me, that "man perlsec" describes the reason for
the "Insecure dependency" error messages. So I learned, that
the functions reported in the log file work with "tainted"
parameters.
I analyzed the problem a little further and realized, that
many error messages fill the logfile, when I open the web
interface (lists view) for the first time after restarting the
web server. Debug logging showed, that the initial "do_lists"
command calls List::get_lists() and this function reads
information about all existing mailing list. For each list,
the function Lock::_lock_file() is called 4 times, and the
function List::_save_stats_file() is called once. The problem
is, that the parameter "$dir" is considered to be tainted.
I found a bug fix (in List::new()):
/home/sympa/bin # diff List.pm.orig List.pm
1545c1545
< unless ($name and ($name =~ /^$listname_regexp$/io) )
{
---
unless ($name and ($name =~
/^($listname_regexp)$/io) ) {
1548a1549,1550
## Untaint and lowercase the list
name.
$name = $1;
I hope, that some sympa developer will add this (or something
better) to the next sympa release...
Omen, please tell me, whether it helps for you as well !
Olaf Menkens.
P.S.: I found another "Insecure dependency" error: in
tools.pm, line 2750 & 2746 (unlink() and rmdir()). This
occurs, when I purge old list archives. Currently I do not
have a fix for that problem, but it's interesting, that the
directories are deleted nevertheless, so the error message is
obviously only handled like a warning, which is in my opinion
helpful but quite insecure ;-)
Am 13.08.2011 01:16, schrieb Omen Wild:
[ I emailed about this back in April.
The problem seemed to go away
for a while, but it is back now. ]
Back in April we migrated an instance of Sympa 6.0.1 running
on Solaris
to 6.1.4 running on RHEL 6. We are seeing a large number of
`mod_fcgid:
stderr: Insecure dependency' errors in the Apache error
log. The
errors do not happen all the time, but seem to go in bursts.
For example, since midnight last night (16 hours ago) there
have been
almost 900,000 errors logged.
Count File
201196 /usr/share/sympa/lib/List.pm line 9709.
604787 /usr/share/sympa/lib/Lock.pm line 253.
Line 9709 is "open(L, "> $file") || return undef;" in
"sub _save_stats_file {".
Line 253 is "unless (open $fh, $open_mode.$lock_file) {" in
"sub _lock_file {".
We are running sympa-6.1.4-1.20110407.RHEL6.src.rpm from
'http://sympa-ja.org/download/RHEL6.testing/SRPMS/?C=M;O=D'.
Thereare
some custom patches, but nothing in the Lock.pm module or
around that
line of List.pm
I have attached the Apache config file if it helps.
Does anyone have any thoughts about how to fix this?
Thanks,
Omen
--
David Verdin
Comité réseau des universités
Due to the limitations of human brain, I fail to remember all
the mails.
So if you want your bug reports or feature requests for Sympa
to be processed, please post them to the
Sympa tracker
--
David Verdin
Comité réseau des universités
Due to the limitations of human brain, I fail to remember all
the mails.
So if you want your bug reports or feature requests for Sympa to
be processed, please post them to the Sympa
tracker
|
