Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 53733
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: MARKSTOS [...] cpan.org
Requestors: degatcpan [...] ntlworld.com
klchu [...] lbl.gov
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: CGI plus sign character taint problem
Date: Fri, 15 Jan 2010 14:10:41 -0800
To: bug-CGI.pm [...] rt.cpan.org
From: ken <klchu [...] lbl.gov>
Download (untitled) / with headers
text/plain 582b
CGI.pm-3.48 perl: This is perl, v5.10.0 built for x86_64-linux-gnu-thread-multi OS: Linux ubuntu - 2.6.27-16-generic x86_64 GNU/Linux It can be reproducible in Linux 2.6.22.18-1 x86_64 GNU/Linux Error message: Insecure dependency in require while running with -T switch at /usr/local/share/perl/5.10.0/CGI.pm line 532 In a sample html form with text input enter a single plus sign '+' without quotes. You get the above error. No other characters gives this error. You can put 2 or more plus sign its fine or a plus sign with a space its fine too, '+ ' without quotes. Ken
Subject: Re: [rt.cpan.org #53733] CGI plus sign character taint problem
Date: Fri, 15 Jan 2010 17:14:12 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Download (untitled) / with headers
text/plain 714b
Show quoted text
> CGI.pm-3.48 > perl: > This is perl, v5.10.0 built for x86_64-linux-gnu-thread-multi > OS: > Linux ubuntu - 2.6.27-16-generic x86_64 GNU/Linux > It can be reproducible in > Linux 2.6.22.18-1 x86_64 GNU/Linux > > > Error message: > Insecure dependency in require while running with -T switch at > /usr/local/share/perl/5.10.0/CGI.pm line 532 > > In a sample html form with text input enter a single plus sign '+' > without quotes. > You get the above error. No other characters gives this error. > You can put 2 or more plus sign its fine or a plus sign with a space its > fine too, '+ ' without quotes.
Thanks for the report, Ken. Would you be able to provide a more complete example to review? Mark
Subject: Re: [rt.cpan.org #53733] CGI plus sign character taint problem
Date: Fri, 15 Jan 2010 14:50:45 -0800
To: bug-CGI.pm [...] rt.cpan.org
From: ken <klchu [...] lbl.gov>
Download (untitled) / with headers
text/plain 1.4k
Mark, Here is url to my test code http://merced.jgi-psf.org/cgi-bin/perltest/test.cgi test.cgi: #!/bin/sh PATH="" export PATH /jgi/tools/perl5/5.10.1/bin/perl -I`pwd` -T test.pl test.pl: use strict; use CGI qw( :standard ); use CGI::Session; use Data::Dumper; $| = 1; my $cgi = new CGI; print header( -type => "text/html" ); print qq{ <html> <form method="post" action="test.cgi" name="searchForm"> <input type="text" maxlength="20" name="search" /> <input type="submit" name="test" value="Submit" /> </form> </html> }; my $searchTerm = param("search"); if($searchTerm ne "") { print "<p>"; print "Search term: $searchTerm\n" } exit(0); Ken mark@summersault.com via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=53733 > > >
>> CGI.pm-3.48 >> perl: >> This is perl, v5.10.0 built for x86_64-linux-gnu-thread-multi >> OS: >> Linux ubuntu - 2.6.27-16-generic x86_64 GNU/Linux >> It can be reproducible in >> Linux 2.6.22.18-1 x86_64 GNU/Linux >> >> >> Error message: >> Insecure dependency in require while running with -T switch at >> /usr/local/share/perl/5.10.0/CGI.pm line 532 >> >> In a sample html form with text input enter a single plus sign '+' >> without quotes. >> You get the above error. No other characters gives this error. >> You can put 2 or more plus sign its fine or a plus sign with a space its >> fine too, '+ ' without quotes. >>
> > Thanks for the report, Ken. > > Would you be able to provide a more complete example to review? > > Mark > >
Subject: Re: [rt.cpan.org #53733] CGI plus sign character taint problem
Date: Sat, 16 Jan 2010 12:43:19 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: Yanick Champoux <yanick [...] babyl.dyndns.org>
Download (untitled) / with headers
text/plain 109b
Hmm... I've tried to reproduce the bug locally, and so far I had no luck. I'm using CGI v3.48, and apache2.
Subject: Re: [rt.cpan.org #53733] CGI plus sign character taint problem
Date: Sat, 16 Jan 2010 18:40:20 -0800
To: bug-CGI.pm [...] rt.cpan.org
From: Ken Chu <KLChu [...] lbl.gov>
Download (untitled) / with headers
text/plain 372b
Apparently it might be a perl 5.10.x bug It completely works fine with perl 5.8.x http://www.perlmonks.org/?node_id=753912 Ken On 1/16/2010 9:43 AM, yanick@babyl.dyndns.org via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=53733> > > Hmm... I've tried to reproduce the bug locally, and so far I had no luck. > > I'm using CGI v3.48, and apache2. > >
Subject: Spurious "Insecure dependency" error
Download (untitled) / with headers
text/plain 834b
Minimal code that produces the error - #!/usr/bin/perl -T use CGI; my $cgi = new CGI; print $cgi->header( -charset => 'utf-8' ), $cgi->start_html(), $cgi->start_form( -name => 'form' ), $cgi->table( $cgi->Tr( $cgi->td( # remove this radio group, and using the + or - symbol below does not cause an error $cgi->radio_group( -name => 'test radio', -values => [0..1], -labels => { 0 => 0, 1 => 1 }, -default => 0 ), ), $cgi->td( $cgi->submit( -name => 'test +', -value => '+', # causes 'Insecure dependency in require while running with -T switch' error, (as does '-') ), ), ), ), $cgi->end_form, $cgi->end_html;
Subject: Re: [rt.cpan.org #70935] Spurious "Insecure dependency" error
Date: Tue, 13 Sep 2011 13:49:09 -0400
To: bug-CGI [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Thanks for the report, do you have an idea of how to fix it? Mark
Download (untitled) / with headers
text/plain 818b
On Tue Sep 13 13:49:20 2011, mark@summersault.com wrote: Show quoted text
> > Thanks for the report, do you have an idea of how to fix it? > > Mark
No, the only progress I have made is that you can run the example code from the command line, eg perl -T test.pl "test +=-" and that will produce the error (although strangely "test +=+" does not) Also I updated to version 3.55, which still produces the error. Problem line(s) from 533 of CGI.pm for my $fh (grep {defined(fileno($_))} @$val) { seek($fh,0,0); # reset the filehandle. } When '-' is in the @$val array, the error is generated. If you remove the radio group code in the example, the code above does not get executed, so no error is generated. I do not think I will get further in finding a solution. dan
Subject: Re: [rt.cpan.org #70935] Spurious "Insecure dependency" error
Date: Tue, 13 Sep 2011 16:30:19 -0400
To: bug-CGI [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Download (untitled) / with headers
text/plain 180b
Thanks for looking, Dan. You could also try asking on perlmonks.org or Stack Overflow about this. Otherwise, someone will eventually find this ticket here and work on it. Mark
Download (untitled) / with headers
text/plain 516b
Perlmonks helpfully provided the attached patch (the error is caused by a bug in Perl.) There is an idea to add the following to the patch, although further testing is said to be required. @@ -820,7 +820,7 @@ # put a filehandle into binary mode (DOS) sub binmode { - return unless defined($_[1]) && defined fileno($_[1]); + return unless defined($_[1]) && ref ($_[1]) && defined fileno($_[1]); CORE::binmode($_[1]); } (I need to use the --ignore-whitespace option to patch to get it to stick.)
Subject: cgi.patch
Download cgi.patch
text/x-diff 535b
--- C:\perl\5.14.1\lib\CGI.pm 2011-06-03 08:36:31.000000000 -0700 +++ CGI.pm 2011-09-14 07:49:32.031250000 -0700 @@ -513,7 +513,7 @@ my $val = $QUERY_PARAM{$name}; # always an arrayref; $self->param('-name'=>$name,'-value'=> $val); if (defined $val and ref $val eq 'ARRAY') { - for my $fh (grep {defined(fileno($_))} @$val) { + for my $fh (grep {ref($_) and defined(fileno($_))} @$val) { seek($fh,0,0); # reset the filehandle. }
Subject: Re: [rt.cpan.org #70935] Spurious "Insecure dependency" error
Date: Wed, 14 Sep 2011 11:56:49 -0400
To: bug-CGI [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Excellent. Thanks. I'll credit you when it appears in a release. Mark
Thanks. I'm releasing the proposed fix today.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.