Skip Menu |
 

This queue is for tickets about the DBI CPAN distribution.

Report information
The Basics
Id: 99508
Status: open
Priority: 0/
Queue: DBI

People
Owner: Nobody in particular
Requestors: MITHALDU [...] cpan.org
Cc: CARNIL [...] cpan.org
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 1.632



Subject: Tables will erroneously be opened in current folder if f_dir set to a relative path that does not exist
Download (untitled) / with headers
text/plain 1.1k
Ticketing this as per Tux' request. I'll describe it as a series of shell commands. Of these, the first two behaviors are misbehavior and only the last case is correct. In the first case it should not search in '.', but ONLY in 'test', and raise the error accordingly. In the second case it should not search in '.' and use the file 'yy.csv' found there. Instead it should search only in 'test' and disregard files found elsewhere. $ cd /tmp $ perl -MDBI -MDP -wE'$a=DBI->connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1});$b=$a->prepare("select distinct foo from yy");$b->execute;DDumper$b->fetch' ... Cannot open /tmp/yy.csv: No such file or directory (2) at /pro/lib/perl5/site_perl/5.20.0/x86_64-linux-thread-multi-ld/DBI/DBD/SqlEngine.pm line 1589. $ echo [useful content] > yy.csv $ perl -MDBI -MDP -wE'$a=DBI->connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1});$b=$a->prepare("select distinct foo from yy");$b->execute;DDumper$b->fetch' [ 1 ] $ mkdir test $ mv yy.csv test/ $ perl -MDBI -MDP -wE'$a=DBI->connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1});$b=$a->prepare("select distinct foo from yy");$b->execute;DDumper$b->fetch' [ 1 ]
Download (untitled) / with headers
text/plain 294b
Even with an absolute path it misbehaves: $ rm -rf test $ perl -MDBI -MData::Dumper -wE'$a=DBI->connect("dbi:CSV:f_dir=/tmp/test/;f_ext=.csv/r",undef,undef,{RaiseError=>1});$b=$a->prepare("select distinct foo from yy");$b->execute;' ... Cannot open /tmp/yy.csv: No such file or directory (2)
Download (untitled) / with headers
text/plain 5.1k
Dne St 15.říj.2014 10:58:53, MITHALDU napsal(a): Show quoted text
> Ticketing this as per Tux' request. I'll describe it as a series of > shell commands. Of these, the first two behaviors are misbehavior and > only the last case is correct. > > In the first case it should not search in '.', but ONLY in 'test', and > raise the error accordingly. > > In the second case it should not search in '.' and use the file > 'yy.csv' found there. Instead it should search only in 'test' and > disregard files found elsewhere. > > $ cd /tmp > > $ perl -MDBI -MDP -wE'$a=DBI-
> >connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1});$b=$a- > >prepare("select distinct foo from yy");$b->execute;DDumper$b->fetch'
> > ... Cannot open /tmp/yy.csv: No such file or directory (2) at > /pro/lib/perl5/site_perl/5.20.0/x86_64-linux-thread-multi- > ld/DBI/DBD/SqlEngine.pm line 1589. > > $ echo [useful content] > yy.csv > > $ perl -MDBI -MDP -wE'$a=DBI-
> >connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1});$b=$a- > >prepare("select distinct foo from yy");$b->execute;DDumper$b->fetch'
> > [ 1 ] > > $ mkdir test > > $ mv yy.csv test/ > > $ perl -MDBI -MDP -wE'$a=DBI-
> >connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1});$b=$a- > >prepare("select distinct foo from yy");$b->execute;DDumper$b->fetch'
> > [ 1 ]
Is this fixed? Changes for DBI-1.632 mention it is fixed, but I can still see the bad behavior with DBI-1.643 and DBD-CSV-0.55: $ touch yy.csv [test@fedora-34 tmp]$ perl -MDBI -wE 'DBI->connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1})->prepare("select distinct foo from yy")->execute;' DBD::CSV::st execute failed: Execution ERROR: Missing first row due to EOF - End of data in parsing input stream at /usr/lib64/perl5/vendor_perl/DBI/DBD/SqlEngine.pm line 1480. . [...] It opens ./yy.cvs instead of ./test/yy.csv. It should report an error because there is no ./test directory: $ strace -e file -- perl -MDBI -wE 'DBI->connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1})->prepare("select distinct foo from yy")->execute; [...] openat(AT_FDCWD, "/usr/share/perl5/File/Basename.pm", O_RDONLY|O_CLOEXEC) = 3 getcwd("/tmp", 4096) = 5 stat("./test", 0x55cae9b864b8) = -1 ENOENT (No such file or directory) stat("/usr/local/lib64/perl5/5.32/SQL/Dialects/AnyData.pmc", 0x7ffd83035c80) = -1 ENOENT (No such file or directory) stat("/usr/local/lib64/perl5/5.32/SQL/Dialects/AnyData.pm", 0x7ffd83035c80) = -1 ENOENT (No such file or directory) stat("/usr/local/share/perl5/5.32/SQL/Dialects/AnyData.pmc", 0x7ffd83035c80) = -1 ENOENT (No such file or directory) stat("/usr/local/share/perl5/5.32/SQL/Dialects/AnyData.pm", 0x7ffd83035c80) = -1 ENOENT (No such file or directory) stat("/usr/lib64/perl5/vendor_perl/SQL/Dialects/AnyData.pmc", 0x7ffd83035c80) = -1 ENOENT (No such file or directory) stat("/usr/lib64/perl5/vendor_perl/SQL/Dialects/AnyData.pm", 0x7ffd83035c80) = -1 ENOENT (No such file or directory) stat("/usr/share/perl5/vendor_perl/SQL/Dialects/AnyData.pmc", 0x7ffd83035c80) = -1 ENOENT (No such file or directory) stat("/usr/share/perl5/vendor_perl/SQL/Dialects/AnyData.pm", {st_mode=S_IFREG|0644, st_size=2092, ...}) = 0 openat(AT_FDCWD, "/usr/share/perl5/vendor_perl/SQL/Dialects/AnyData.pm", O_RDONLY|O_CLOEXEC) = 3 stat("/usr/local/lib64/perl5/5.32/SQL/Dialects/Role.pmc", 0x7ffd83035580) = -1 ENOENT (No such file or directory) stat("/usr/local/lib64/perl5/5.32/SQL/Dialects/Role.pm", 0x7ffd83035580) = -1 ENOENT (No such file or directory) stat("/usr/local/share/perl5/5.32/SQL/Dialects/Role.pmc", 0x7ffd83035580) = -1 ENOENT (No such file or directory) stat("/usr/local/share/perl5/5.32/SQL/Dialects/Role.pm", 0x7ffd83035580) = -1 ENOENT (No such file or directory) stat("/usr/lib64/perl5/vendor_perl/SQL/Dialects/Role.pmc", 0x7ffd83035580) = -1 ENOENT (No such file or directory) stat("/usr/lib64/perl5/vendor_perl/SQL/Dialects/Role.pm", 0x7ffd83035580) = -1 ENOENT (No such file or directory) stat("/usr/share/perl5/vendor_perl/SQL/Dialects/Role.pmc", 0x7ffd83035580) = -1 ENOENT (No such file or directory) stat("/usr/share/perl5/vendor_perl/SQL/Dialects/Role.pm", {st_mode=S_IFREG|0644, st_size=2560, ...}) = 0 openat(AT_FDCWD, "/usr/share/perl5/vendor_perl/SQL/Dialects/Role.pm", O_RDONLY|O_CLOEXEC) = 4 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=220, ...}) = 0 stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=220, ...}) = 0 openat(AT_FDCWD, "/tmp", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 openat(AT_FDCWD, "/tmp/yy.csv", O_RDONLY|O_CLOEXEC) = 3 DBD::CSV::st execute failed: Execution ERROR: Missing first row due to EOF - End of data in parsing input stream at /usr/lib64/perl5/vendor_perl/DBI/DBD/SqlEngine.pm line 1480. . [...] But when I create the missing directory: $ mkdir test [test@fedora-34 tmp]$ perl -MDBI -wE 'DBI->connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1})->prepare("select distinct foo from yy")->execute;' DBD::CSV::st execute failed: Execution ERROR: Cannot open /tmp/test/yy.csv: No such file or directory (2) at /usr/lib64/perl5/vendor_perl/DBI/DBD/SqlEngine.pm line 1624. It behaves correctly. Is looks like it falls back to a current directory, if the f_dir directory does not exist.
Subject: [rt.cpan.org #99508] DBI: Tables will erroneously be opened in current folder if f_dir set to a relative path that does not exist
Date: Tue, 15 Sep 2020 18:47:25 +0200
To: bug-dbi [...] rt.cpan.org
From: Sylvain Beucler <beuc [...] beuc.net>
Download (untitled) / with headers
text/plain 769b
Hi, I confirm that the original poster's reproducer still behaves the same with and without the fix [1]. In DBD::File:connect(), it looks like parse_dns() is used incorrectly because it's given $dbname which is not a valid DSN (doesn't start with dbi:xxx), hence the parameters are not parsed/returned, and not validated by the first test. The f_dir parameter isn't present in $attr either, in the second test (I believe this is only the case when f_dir is passed as an explicit parameter rather than through the DSN). The test case passes f_dir as an explicit parameter. We probably lack a test variant with f_dir passed within the DSN. [1] https://github.com/perl5-dbi/dbi/commit/caedc0d7d602f5b2ae5efc1b00f39efeafb7b05a Cheers! Sylvain Beucler Debian LTS Team
Subject: Re: [rt.cpan.org #99508] DBI: Tables will erroneously be opened in current folder if f_dir set to a relative path that does not exist
Date: Tue, 15 Sep 2020 19:38:48 +0200
To: bug-dbi [...] rt.cpan.org
From: Sylvain Beucler <beuc [...] beuc.net>
Download (untitled) / with headers
text/plain 610b
More clearly put: f_dir is only validated through the parameters vector, not through the DSN vector. # ls yy.csv # perl -MDBI -MDP -wE'$a=DBI->connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1});$b=$a->prepare("select distinct foo from yy");$b->execute;DDumper$b->fetch' [ 1 ] # perl -MDBI -MDP -wE'$a=DBI->connect("dbi:CSV:f_ext=.csv/r",undef,undef,{f_dir=>"./test",RaiseError=>1});$b=$a->prepare("select distinct foo from yy");$b->execute;DDumper$b->fetch' No such directory './test at /usr/lib/x86_64-linux-gnu/perl5/5.20/DBI.pm line 671. Cheers! Sylvain Beucler Debian LTS Team
Subject: Re: [rt.cpan.org #99508] DBI: Tables will erroneously be opened in current folder if f_dir set to a relative path that does not exist
Date: Tue, 15 Sep 2020 21:08:55 +0200
To: bug-DBI [...] rt.cpan.org
From: "H.Merijn Brand" <tux [...] freedom.nl>
Download (untitled) / with headers
text/plain 1.5k
On Tue, 15 Sep 2020 13:38:56 -0400, "Sylvain Beucler via RT" <bug-DBI@rt.cpan.org> wrote: Show quoted text
> Queue: DBI > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=99508 > > > More clearly put: f_dir is only validated through the parameters > vector, not through the DSN vector.
Not validating was on purpose. The folder need not be there before the first action to use it. Inconsistency between parameters and DSN is debatable. I'll think about it ... What the best spot for validation is and when to warn/croak depends on way too many things. Look at f_dir as specifying the SCHEMA in a "normal" database. select * from FOOBLE.bar; is a legal statement, but it will fail if FOOBLE cannot be addressed. A process can put it inside eval {} to catch it. This is how most of DBI operations work. Show quoted text
> # ls > yy.csv > # perl -MDBI -MDP > -wE'$a=DBI->connect("dbi:CSV:f_dir=./test;f_ext=.csv/r",undef,undef,{RaiseError=>1});$b=$a->prepare("select > distinct foo from yy");$b->execute;DDumper$b->fetch' [ 1 ] # > perl -MDBI -MDP > -wE'$a=DBI->connect("dbi:CSV:f_ext=.csv/r",undef,undef,{f_dir=>"./test",RaiseError=>1});$b=$a->prepare("select > distinct foo from yy");$b->execute;DDumper$b->fetch' No such > directory './test at /usr/lib/x86_64-linux-gnu/perl5/5.20/DBI.pm line > 671. > > Cheers! > Sylvain Beucler > Debian LTS Team >
-- H.Merijn Brand https://tux.nl Perl Monger http://amsterdam.pm.org/ using perl5.00307 .. 5.33 porting perl5 on HP-UX, AIX, and Linux https://useplaintext.email https://www.test-smoke.org http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
Download (untitled)
application/pgp-signature 488b

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #99508] DBI: Tables will erroneously be opened in current folder if f_dir set to a relative path that does not exist
Date: Wed, 16 Sep 2020 14:49:49 +0200
To: bug-dbi [...] rt.cpan.org
From: Sylvain Beucler <beuc [...] beuc.net>
Download (untitled) / with headers
text/plain 1.1k
Hi, I'm discussing this issue because it was marked as a security issue under CVE-2014-10401 ("DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute"), hence distros are now considering whether to backport a fix. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10401 From a security PoV, it looks like there are 2 vectors to this vulnerability, but only 1 of them is fixed. (Admittedly the severity of the vulnerability doesn't seem high, yet it would be incorrect to mark it as fixed if we don't fully fix it.) In my first reply I noted that the following code in DBD::File:connect() looks like (and is documented as) an attempt to validate the DSN: https://metacpan.org/source/TIMB/DBI-1.643/lib/DBD/File.pm#L109 However it appears not to work, due to attempting to parse $dbname as a full DSN. (The second test: https://metacpan.org/source/TIMB/DBI-1.643/lib/DBD/File.pm#L120 does validate the non-DSN parameters.) You wrote that "Not validating was on purpose", so this is a bit confusing. Are we talking about the same issue? Cheers! Sylvain Beucler Debian LTS Team
Download (untitled) / with headers
text/plain 240b
Dne St 16.zář.2020 08:50:00, beuc@beuc.net napsal(a): Show quoted text
> From a security PoV, it looks like there are 2 vectors to this > vulnerability, but only 1 of them is fixed.
The still vulnerable vector (f_dir in DSN) was assigned CVE-2014-10402.
Please prove whether https://github.com/perl5-dbi/dbi/pull/93 fixes the issue for you or not.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.