Trouble with mod_perl, Archive::Zip and taint mode
am 25.05.2008 21:45:24 von roberto
--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
[Please CC me on all replies]
So, I am writing some simple code to allow a user to upload his own
photo galleries. The section of code giving me problems is this:
my $scratch_dir =3D $gallery_dir . "/scratch";
my $zipper =3D Archive::Zip->new();
my $zip_stat =3D $zipper->read($destfile);
if ($zip_stat == Archive::Zip::AZ_OK) {
$zipper->extractTree('.', $scratch_dir);
print "Extracted archive contents into target directory.
\n";
} else {
print "Unable to operate on the uploaded archive file. Please fix the =
problem and upload again.\n";
}
When I call extractTree() in the manner shown above, I get the
"Extracted archive..." output, but nothing is actually extracted. If I
change the call to extractTree() with no arguments, I get a 500 error
and this in my Apache log:
[Sun May 25 08:57:35 2008] [error] [asp] [11570] [error] error executing
code for include /var/www/templates/Photo_page_edit.tmpl: Insecure
dependency in open while running setgid at /usr/lib/perl/5.8/IO/File.pm
line 70. <--> ; compiled to SCALAR(0x91f6f24) at
/usr/share/perl5/Apache/ASP/Response.pm line 844. <--> ,
/usr/share/perl5/Apache/ASP.pm line 1521
If I try this, I also get the same taint error:
my $scratch_dir =3D $gallery_dir . "/scratch";
my $zipper =3D Archive::Zip->new();
my $zip_stat =3D $zipper->read($destfile);
if ($zip_stat == Archive::Zip::AZ_OK) {
my @members =3D $zipper->memberNames();
foreach my $fn (@members) {
$fn =3D~ /(.*)/;
$fn =3D $1;
$zipper->extractMember($n);
}
print "Extracted archive contents into target directory.\n";
} else {
print "Unable to operate on the uploaded archive file. Please fix the =
problem and upload again.\n";
}
I have also tried adding in gratuitous untaintings, but to no avail.
Has anyone been able to make Archive::Zip work? If so, how? I am very
close to just using system() to call /usr/bin/unzip, but that is not
very portable.
Regards,
-Roberto
P.S. The server running this site is Debian Etch, so unfortunately, I
cannot use Archive::Extract which is included in Perl 5.10.0.
--=20
Roberto C. S=E1nchez
http://people.connexer.com/~roberto
http://www.connexer.com
--YiEDa0DAkWCtVeE4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIOcHU5SXWIKfIlGQRAuCEAJ4+eYH/c45kSerBL3WTPlHMnEdfGgCc DmRB
chC1HKLklC73CFbo64CkqE4=
=H4vS
-----END PGP SIGNATURE-----
--YiEDa0DAkWCtVeE4--
Re: Trouble with mod_perl, Archive::Zip and taint mode
am 27.05.2008 22:07:29 von roberto
--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Does anybody have any ideas on this?
Regards,
-Roberto
On Sun, May 25, 2008 at 03:45:24PM -0400, Roberto C. S=E1nchez wrote:
> [Please CC me on all replies]
>=20
> So, I am writing some simple code to allow a user to upload his own
> photo galleries. The section of code giving me problems is this:
>=20
> my $scratch_dir =3D $gallery_dir . "/scratch";
> my $zipper =3D Archive::Zip->new();
> my $zip_stat =3D $zipper->read($destfile);
> if ($zip_stat == Archive::Zip::AZ_OK) {
> $zipper->extractTree('.', $scratch_dir);
> print "Extracted archive contents into target directory.
\n";
> } else {
> print "Unable to operate on the uploaded archive file. Please fix th=
e problem and upload again.\n";
> }
>=20
> When I call extractTree() in the manner shown above, I get the
> "Extracted archive..." output, but nothing is actually extracted. If I
> change the call to extractTree() with no arguments, I get a 500 error
> and this in my Apache log:
>=20
> [Sun May 25 08:57:35 2008] [error] [asp] [11570] [error] error executing
> code for include /var/www/templates/Photo_page_edit.tmpl: Insecure
> dependency in open while running setgid at /usr/lib/perl/5.8/IO/File.pm
> line 70. <--> ; compiled to SCALAR(0x91f6f24) at
> /usr/share/perl5/Apache/ASP/Response.pm line 844. <--> ,
> /usr/share/perl5/Apache/ASP.pm line 1521
>=20
> If I try this, I also get the same taint error:
>=20
> my $scratch_dir =3D $gallery_dir . "/scratch";
> my $zipper =3D Archive::Zip->new();
> my $zip_stat =3D $zipper->read($destfile);
> if ($zip_stat == Archive::Zip::AZ_OK) {
> my @members =3D $zipper->memberNames();
> foreach my $fn (@members) {
> $fn =3D~ /(.*)/;
> $fn =3D $1;
> $zipper->extractMember($n);
> }
> print "Extracted archive contents into target directory.\n";
> } else {
> print "Unable to operate on the uploaded archive file. Please fix th=
e problem and upload again.\n";
> }
>=20
> I have also tried adding in gratuitous untaintings, but to no avail.
> Has anyone been able to make Archive::Zip work? If so, how? I am very
> close to just using system() to call /usr/bin/unzip, but that is not
> very portable.
>=20
> Regards,
>=20
> -Roberto
>=20
> P.S. The server running this site is Debian Etch, so unfortunately, I
> cannot use Archive::Extract which is included in Perl 5.10.0.
>=20
> --=20
> Roberto C. S=E1nchez
> http://people.connexer.com/~roberto
> http://www.connexer.com
--=20
Roberto C. S=E1nchez
http://people.connexer.com/~roberto
http://www.connexer.com
--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIPGoB5SXWIKfIlGQRAkFpAJwOO3HQ4XfJg4e5gm/lDV9qCAJVaACg vjR8
ewpDvgpMsRt4jDmhfL3Y5z4=
=06Mo
-----END PGP SIGNATURE-----
--opJtzjQTFsWo+cga--
Re: Trouble with mod_perl, Archive::Zip and taint mode
am 27.05.2008 23:48:14 von Perrin Harkins
On Sun, May 25, 2008 at 3:45 PM, Roberto C. S=E1nchez
> [Sun May 25 08:57:35 2008] [error] [asp] [11570] [error] error executing
> code for include /var/www/templates/Photo_page_edit.tmpl: Insecure
> dependency in open while running setgid at /usr/lib/perl/5.8/IO/File.pm
> line 70. <--> ; compiled to SCALAR(0x91f6f24) at
> /usr/share/perl5/Apache/ASP/Response.pm line 844. <--> ,
> /usr/share/perl5/Apache/ASP.pm line 1521
You may be seeing the same problem that these people had:
http://mail-archives.apache.org/mod_mbox/perl-modperl/200705 .mbox/%3cD4E105=
722D20344AA9F50C624B1C24EE0B2E1932@LDNPCMEU301VEUA.INTRANET. BARCAPINT.COM%3=
e
If so, upgrading to Perl 5.8.8+ and mod_perl 2.0.3+ will probably fix it.
> P.S. The server running this site is Debian Etch, so unfortunately, I
> cannot use Archive::Extract which is included in Perl 5.10.0.
Just because it's not part of the core perl libs doesn't mean you
can't install it. This problem is probably fixable by upgrading Perl
or mod_perl though.
- Perrin
Re: Trouble with mod_perl, Archive::Zip and taint mode
am 30.05.2008 03:35:56 von roberto
--OBd5C1Lgu00Gd/Tn
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, May 27, 2008 at 05:48:14PM -0400, Perrin Harkins wrote:
> On Sun, May 25, 2008 at 3:45 PM, Roberto C. S=E1nchez
> > [Sun May 25 08:57:35 2008] [error] [asp] [11570] [error] error executing
> > code for include /var/www/templates/Photo_page_edit.tmpl: Insecure
> > dependency in open while running setgid at /usr/lib/perl/5.8/IO/File.pm
> > line 70. <--> ; compiled to SCALAR(0x91f6f24) at
> > /usr/share/perl5/Apache/ASP/Response.pm line 844. <--> ,
> > /usr/share/perl5/Apache/ASP.pm line 1521
>=20
> You may be seeing the same problem that these people had:
> http://mail-archives.apache.org/mod_mbox/perl-modperl/200705 .mbox/%3cD4E1=
05722D20344AA9F50C624B1C24EE0B2E1932@LDNPCMEU301VEUA.INTRANE T.BARCAPINT.COM=
%3e
>=20
> If so, upgrading to Perl 5.8.8+ and mod_perl 2.0.3+ will probably fix it.
>=20
That was it. Etch already has Perl 5.8.8, but only mod_perl 2.0.2.
Updating to 2.0.4 cause that particular error to go away. Of course I
have a different one now, but I am working on tracking it down.
> > P.S. The server running this site is Debian Etch, so unfortunately, I
> > cannot use Archive::Extract which is included in Perl 5.10.0.
>=20
> Just because it's not part of the core perl libs doesn't mean you
> can't install it. This problem is probably fixable by upgrading Perl
> or mod_perl though.
>=20
Of course, except that if I install it, as soon as I upgrade the server
to the next Debian release, I will have a conflict. That is why I was
trying to avoid installing it "out of band", so to speak.
Thanks for the tip on the mailing list thread.
Regards,
-Roberto
--=20
Roberto C. S=E1nchez
http://people.connexer.com/~roberto
http://www.connexer.com
--OBd5C1Lgu00Gd/Tn
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIP1n85SXWIKfIlGQRAjZmAJ4uWBxItWIui2rN/RShz7j5fdWUCACe Jx7k
J6KZg960iGNhwGMEQDLId0k=
=lvQp
-----END PGP SIGNATURE-----
--OBd5C1Lgu00Gd/Tn--