Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mysterious taint issue in Bugzilla4Intranet git~e099a6b018a0599b2f4e5eea13832d47b1259a30 #14796

Closed
p5pRT opened this issue Jul 9, 2015 · 10 comments

Comments

@p5pRT
Copy link

p5pRT commented Jul 9, 2015

Migrated from rt.perl.org#125584 (status was 'rejected')

Searchable as RT125584$

@p5pRT
Copy link
Author

p5pRT commented Jul 9, 2015

From vitalif@mail.ru

Hi!

I experience a mysterious taint issue in Bugzilla4Intranet (https://github.com/vitalif/bugzilla-4intranet), with git commit a72643daeb18cc237684be4c3ec107cd3a2a4ad6 and Perl 5.20.2 from Debian Sid (package version 5.20.2-6).

Most dependencies are installed from CPAN, ImageMagick is installed from Debian (perlmagick 8​:6.8.9.9-5). A full list of dependencies is in README starting with line 52, both "minimal" and "full" module lists are installed.

Stand-alone HTTP​::Server​::Simple based server is used for serving HTTP requests (see ./HTTPServerSimple.pl, configuration example is in the end).

The problem shows up in Bugzilla/Object.pm in _init() at line 124 and _do_list_select() at line 288. In both places there's the following line​:

my $cols = join(',', $class->DB_COLUMNS);

After this line $cols becomes tainted although NONE of DB_COLUMNS (a list constant) are tainted themselves and $class is also not tainted!

The error reproduces with $class equal to at least Bugzilla​::Product and Bugzilla​::Component.

I've seen similar taint mode bugs in the past - is it possible to fix them at last?

@p5pRT
Copy link
Author

p5pRT commented Jul 9, 2015

From vitalif@mail.ru

...and changing the constant definition from 'use constant DB_COLUMNS => qw(...)' to 'sub DB_COLUMNS() { qw(...) }' works around this issue. :-(

P.S​: sorry, I've included different different git versions in issue title and description. a72643daeb18cc237684be4c3ec107cd3a2a4ad6 is more correct.

@p5pRT
Copy link
Author

p5pRT commented Jul 10, 2015

From @jkeenan

On Thu Jul 09 04​:38​:41 2015, vitalif@​mail.ru wrote​:

Hi!

I experience a mysterious taint issue in Bugzilla4Intranet
(https://github.com/vitalif/bugzilla-4intranet), with git commit
a72643daeb18cc237684be4c3ec107cd3a2a4ad6 and Perl 5.20.2 from Debian
Sid (package version 5.20.2-6).

Most dependencies are installed from CPAN, ImageMagick is installed
from Debian (perlmagick 8​:6.8.9.9-5). A full list of dependencies is
in README starting with line 52, both "minimal" and "full" module
lists are installed.

Stand-alone HTTP​::Server​::Simple based server is used for serving HTTP
requests (see ./HTTPServerSimple.pl, configuration example is in the
end).

The problem shows up in Bugzilla/Object.pm in _init() at line 124 and
_do_list_select() at line 288. In both places there's the following
line​:

my $cols = join(',', $class->DB_COLUMNS);

After this line $cols becomes tainted although NONE of DB_COLUMNS (a
list constant) are tainted themselves and $class is also not tainted!

The error reproduces with $class equal to at least Bugzilla​::Product
and Bugzilla​::Component.

I've seen similar taint mode bugs in the past - is it possible to fix
them at last?

The rt.perl.org issue queue and the perl5-porters mailing list have as their focus the development and maintenance of the Perl 5 core distribution. That focus does not include problems you might encounter with CPAN libraries that are not distributed with the core, except insofar as they clearly suggest problems with the core distribution.

None of the libraries you mentioned are distributed with core, so we can't help you very much with them. If you could present a clear, short example of the tainting problem without reference to those libraries, then we might have something to work with.

Also, I could not find any modules called Bugzilla​::Product or Bugzilla​::Component on CPAN. Are they perhaps modules that come with Bugzilla itself? A post on a Bugzilla-related mailing list might be a good place to start.

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

@p5pRT
Copy link
Author

p5pRT commented Jul 10, 2015

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jul 10, 2015

From vitalif@mail.ru

The rt.perl.org issue queue and the perl5-porters mailing list have as their focus the development and maintenance of the Perl 5 core distribution. That focus does not include problems you might encounter with CPAN libraries that are not distributed with the core, except insofar as they clearly suggest problems with the core distribution.

I think it's clearly a perl core bug when the concatenation of several NON-TAINTED scalars becomes TAINTED.

Everything else in bug description just relates to environment - it only reproduces in Bugzilla and in specific perl version(s?).

I can't easily reproduce the issue in a simple perl script, but it happens and it's rather unpleasant...

Bugzilla​::Product and Bugzilla​::Component are of course parts of Bugzilla.

@p5pRT
Copy link
Author

p5pRT commented Jul 10, 2015

From @jkeenan

On Fri Jul 10 05​:32​:19 2015, vitalif@​mail.ru wrote​:

The rt.perl.org issue queue and the perl5-porters mailing list have
as their focus the development and maintenance of the Perl 5 core
distribution. That focus does not include problems you might
encounter with CPAN libraries that are not distributed with the core,
except insofar as they clearly suggest problems with the core
distribution.

I think it's clearly a perl core bug when the concatenation of several
NON-TAINTED scalars becomes TAINTED.

Everything else in bug description just relates to environment - it
only reproduces in Bugzilla and in specific perl version(s?).

I can't easily reproduce the issue in a simple perl script, but it
happens and it's rather unpleasant...

Unfortunately, if we don't have a reproducible example of the bug, we cannot help you.

Bugzilla​::Product and Bugzilla​::Component are of course parts of
Bugzilla.

--
James E Keenan (jkeenan@​cpan.org)

@p5pRT
Copy link
Author

p5pRT commented Jan 20, 2016

From vz-bitcard@zeitlins.org

Unfortunately, if we don't have a reproducible example of the bug, we
cannot help you.

I understand this perfectly well and I don't expect any action here, but I'd just like to leave a note saying that I ran into the same issue after upgrading an old Bugzilla 3.6 installation which was previously running nicely with 5.15 to 5.20 and spent an hour or so trying to understand what was happening -- unsuccessfully.

So while I don't have a way to reproduce it neither (I tried but failed), at the very least this problem is not specific to the original reporter and can be reliably reproduced with Bugzilla 3.6 and Perl 5.20.

@p5pRT
Copy link
Author

p5pRT commented Jan 20, 2016

From [Unknown Contact. See original ticket]

Unfortunately, if we don't have a reproducible example of the bug, we
cannot help you.

I understand this perfectly well and I don't expect any action here, but I'd just like to leave a note saying that I ran into the same issue after upgrading an old Bugzilla 3.6 installation which was previously running nicely with 5.15 to 5.20 and spent an hour or so trying to understand what was happening -- unsuccessfully.

So while I don't have a way to reproduce it neither (I tried but failed), at the very least this problem is not specific to the original reporter and can be reliably reproduced with Bugzilla 3.6 and Perl 5.20.

@p5pRT
Copy link
Author

p5pRT commented Apr 21, 2016

From @jkeenan

On Wed Jan 20 05​:27​:42 2016, V.Z wrote​:

Unfortunately, if we don't have a reproducible example of the bug, we
cannot help you.

I understand this perfectly well and I don't expect any action here,
but I'd just like to leave a note saying that I ran into the same
issue after upgrading an old Bugzilla 3.6 installation which was
previously running nicely with 5.15 to 5.20 and spent an hour or so
trying to understand what was happening -- unsuccessfully.

So while I don't have a way to reproduce it neither (I tried but
failed), at the very least this problem is not specific to the
original reporter and can be reliably reproduced with Bugzilla 3.6 and
Perl 5.20.

I discussed this issue with a Mozilla Bugzilla developer who spoke at this past weekend's DC-Baltimore Perl Workshop. He commented that the bug appears to be on a fork of Bugzilla of which he was previously unaware.

So, there's clearly nothing more for P5P to do here, so I'm closing this ticket. Any further issues should first be filed with the CPAN distribution or with Bugzilla itself.

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

@p5pRT p5pRT closed this as completed Apr 21, 2016
@p5pRT
Copy link
Author

p5pRT commented Apr 21, 2016

@jkeenan - Status changed from 'open' to 'rejected'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant