Thanks for the update Olaf!
Now that I'm confident that the patch works fine, I'll commit it and
tag a new stable soon.
Regards,
David
Le 21/11/11 16:26, O. Menkens, privat a écrit :
Hi David,
sorry, I forgot to answer you: The patch you provided works fine
(except for a missing ";" in Lock.pm).
I think, the activation of the taint mode is related to the use of
the fcgi-wrapper in a recent distribution: On our machine, `man
perlsec` tells me, that tainted mode is activeted automatically,
"when it detects its program running with differing real and
effective user or group IDs".
Nevertheless, if you did not already submit the patch, you should
do it now :-)
Thanks for your help,
Olaf Menkens.
P.S.: My sympa upgrade project was postponed for some months, but
now it is actually finished and the new server works fine.
Am 26.08.2011 11:58, schrieb David Verdin:
Better with the patch actually attached...
Le 26/08/11 11:54, David Verdin a écrit :
Hi,
I think the activation of the taint mode could be related to
your particular perl version or configuration.
However, as you use a recent OS, we could expect this
behaviour to spread around, so we better be ready for it.
Could you please apply the patch attached to this mail and let
me know if this fixes the problem? I basically tried an
operation which should untaint the file names. I did it
because I suspect these variables were tainted only because
they were passed as argument to a function. They don't really
come from outside of the program but from an other part of
this program and their value was originally computed by the
program, not user-provided.
Anyway, we need these subs, so we'd better find a way to make
them work.
Regards,
David
Le 23/08/11 23:30, Olaf Menkens a écrit :
Hello
Omen,
I had the same problem here with my sympa 6.1.6
installation, I'm currently trying to set up (cross
upgrading to a new - currently testing - machine from an old
sympa 5.1.2).
Google teached me, that "man perlsec" describes the reason
for the "Insecure dependency" error messages. So I learned,
that the functions reported in the log file work with
"tainted" parameters.
I analyzed the problem a little further and realized, that
many error messages fill the logfile, when I open the web
interface (lists view) for the first time after restarting
the web server. Debug logging showed, that the initial
"do_lists" command calls List::get_lists() and this function
reads information about all existing mailing list. For each
list, the function Lock::_lock_file() is called 4 times, and
the function List::_save_stats_file() is called once. The
problem is, that the parameter "$dir" is considered to be
tainted.
I found a bug fix (in List::new()):
/home/sympa/bin # diff List.pm.orig List.pm
1545c1545
< unless ($name and ($name =~ /^$listname_regexp$/io)
) {
---
unless ($name and ($name =~
/^($listname_regexp)$/io) ) {
1548a1549,1550
## Untaint and lowercase the
list name.
$name = $1;
I hope, that some sympa developer will add this (or
something better) to the next sympa release...
Omen, please tell me, whether it helps for you as well !
Olaf Menkens.
P.S.: I found another "Insecure dependency" error: in
tools.pm, line 2750 & 2746 (unlink() and rmdir()). This
occurs, when I purge old list archives. Currently I do not
have a fix for that problem, but it's interesting, that the
directories are deleted nevertheless, so the error message
is obviously only handled like a warning, which is in my
opinion helpful but quite insecure ;-)
Am 13.08.2011 01:16, schrieb Omen Wild:
[ I emailed about this back in
April. The problem seemed to go away
for a while, but it is back now. ]
Back in April we migrated an instance of Sympa 6.0.1
running on Solaris
to 6.1.4 running on RHEL 6. We are seeing a large number
of `mod_fcgid:
stderr: Insecure dependency' errors in the Apache error
log. The
errors do not happen all the time, but seem to go in
bursts.
For example, since midnight last night (16 hours ago)
there have been
almost 900,000 errors logged.
Count File
201196 /usr/share/sympa/lib/List.pm line 9709.
604787 /usr/share/sympa/lib/Lock.pm line 253.
Line 9709 is "open(L, "> $file") || return undef;" in
"sub _save_stats_file {".
Line 253 is "unless (open $fh, $open_mode.$lock_file) {"
in
"sub _lock_file {".
We are running sympa-6.1.4-1.20110407.RHEL6.src.rpm from
'http://sympa-ja.org/download/RHEL6.testing/SRPMS/?C=M;O=D'.
Thereare
some custom patches, but nothing in the Lock.pm module or
around that
line of List.pm
I have attached the Apache config file if it helps.
Does anyone have any thoughts about how to fix this?
Thanks,
Omen
--
David Verdin
Comité réseau des universités
Due to the limitations of human brain, I fail to remember
all the mails.
So if you want your bug reports or feature requests for
Sympa to be processed, please post them to the
Sympa tracker
--
David Verdin
Comité réseau des universités
Due to the limitations of human brain, I fail to remember all
the mails.
So if you want your bug reports or feature requests for Sympa
to be processed, please post them to the
Sympa tracker
|
