Skip Menu |
 

This queue is for tickets about the CGI-SSI CPAN distribution.

Report information
The Basics
Id: 12041
Status: resolved
Priority: 0/
Queue: CGI-SSI

People
Owner: james [...] bitperfect.com
Requestors: dsmith [...] avitar.net
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 0.82
Fixed in: (no value)



Subject: Infinite looping Error.
Download (untitled) / with headers
text/plain 1.3k
If you accidently have an include that is parsed as a virtual includes, and you use cache all error handling (ie a script that displays an alternate 404 error page) for your webserver (fairly prevelent) in your webserver, you can cause an infinite loop for this module causing memory problems/overflows/etc. depending on your flavor of webserver. This has been tested under windows 2000, xp, and 2003 using the most recent stable builds of ActiveState Perl versions 5.6 and 5.8 under Apache 2.0.49 to 2.0.53; Other OS's, distributions of perl, and webservers should also be vulrable to this error which may crash your webserver/OS since perl modules are theoritically portable and nearly platform independent. Earlier versions of this module may have the same logic error as well. Suggested Fixes include directory testing for local relative directories at the very least using '-e' with the relative path. This would require that the document root of the webserver (which translates into the URL) would need to be logically attained and/or provided as input into the module for translation. The error appears to be in sub _include_virtual: This original line: if($filename =~ m|^/|) { # this is on the local server Shoulde be reconsidered to something such as: if($filename =~ m|^/| && -e $self->_include_file($self->{'_variables'}->{'DOCUMENT_ROOT'}.$filename) { # this is on the local server ...etc.
Download (untitled) / with headers
text/plain 1.2k
[guest - Mon Mar 28 17:57:19 2005]: Show quoted text
> This original line: > if($filename =~ m|^/|) { # this is on the local server > > Shoulde be reconsidered to something such as: > if($filename =~ m|^/| && -e $self->_include_file($self-
> >{'_variables'}->{'DOCUMENT_ROOT'}.$filename) { # this is on the
> local server
Hello and Thank You for Your Input, I don't see that there's a bug here. If I were to add the code that you suggest, I think that the erroneous directive would still be changed into the currently-configured error message. That seems like appropriate behavior, since there is an error in the directive. It seems that it's possible to shoot yourself in the foot here, but that's not the problem of the module. As you say, "If you accidentally...". I see that there's a possibility to create circular includes which go on forever, creating real problems. However, I don't see that it's the fault of the module as it's written. If you would like for me to write in a failsafe where a file can only be included x number of times (for example), that's one thing. But it sounds like you're asking for something else here. If you would like to continue this thread, please submit a new ticket. Please provide an example of the module breaking, with example filenames, code, shtml, etc. Thanks Again, James Tolley
Download (untitled) / with headers
text/plain 2.1k
[JAMES - Tue May 3 18:28:35 2005]: Show quoted text
> [guest - Mon Mar 28 17:57:19 2005]: >
> > This original line: > > if($filename =~ m|^/|) { # this is on the local server > > > > Shoulde be reconsidered to something such as: > > if($filename =~ m|^/| && -e $self->_include_file($self-
> > >{'_variables'}->{'DOCUMENT_ROOT'}.$filename) { # this is on the
> > local server
> > Hello and Thank You for Your Input, > > I don't see that there's a bug here. If I were to add the code that
you Show quoted text
> suggest, I think that the erroneous directive would still be changed > into the currently-configured error message. That seems like
appropriate Show quoted text
> behavior, since there is an error in the directive. It seems that it's > possible to shoot yourself in the foot here, but that's not the
problem Show quoted text
> of the module. As you say, "If you accidentally...". > > I see that there's a possibility to create circular includes which go
on Show quoted text
> forever, creating real problems. However, I don't see that it's the > fault of the module as it's written. If you would like for me to write > in a failsafe where a file can only be included x number of times (for > example), that's one thing. But it sounds like you're asking for > something else here. > > If you would like to continue this thread, please submit a new ticket. > Please provide an example of the module breaking, with example > filenames, code, shtml, etc. > > Thanks Again, > > James Tolley
Other modules of this flavor I have used have a maximum recursion level. Contray to what you belive this is the type of failsafe that I was interested in this modules inclusion to prevent endless loops in memory. This is an accident that is likely to occour in web servers since close to one quarter of all servers I have encountered run perl, cpan modules, shtml, and custom error handelings (ie. 404 redirects). While no one expects any programmer to create error handeling for unlikely events, this is likely to occour due to normal human error though day to day usage. Therefore I belive it is prudent to check to see if this module is calling itself repetiously, and to build in a way of catching the endless loop.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.