Question

After upgrading apache my twiki now sends me the results of a cron job with this error in it:

Subject:Cron <root@avas> (cd /home/httpd/twiki/bin; ./mailnotify -q) Insecure dependency in connect while running with -T switch at /usr/local/lib/perl5/5.8.1/i686-linux/IO/Socket.pm line 114.

Events prior to this were:
Upgraded Perl

• Removed old perl trying to find errors for other programs, found and corrected them.

Upgraded Apache

• Location changed as a result upgrade, this broke my twiki.
• Reconfigured new apache to twiki install, this corrected twiki viewing.
• Some time later discovered editing didn't work and corrected.
• Now recieve the error above.

Running the mailnotify script by hand as root gives this:

TWiki mail notification
-to suppress all normal output: mailnotify -q
Checking TWiki.Know
none (this is enclosed in angle brackets...)
Checking TWiki.Main
- Changed topics since 09 Nov 2003 - 5:00: RBLsHowTo WebHome
- Sending mail notification to: XXXX@XXXXX.XXXX
Insecure dependency in connect while running with -T switch at /usr/local/lib/perl5/5.8.1/i686-linux/IO/Socket.pm line 114.

I've checked the user that mailnotify is (nobody) and it runs as root from the root crontab. Any suggestions?

Environment

TWiki version:	TWikiRelease01Feb2003
TWiki plugins:	DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS:	Linux (RH 7.3)
Web server:	Apache 1.3.27
Perl version:	5.8.1
Client OS:
Web Browser:

-- KevinGagel - 11 Dec 2003

Answer

It looks like =Net::SMTP and/or IO::Socket got more strict in regards to taint checking.

Simple workaround: Turn off taint check by removing the -T flag from mailnotify, e.g. to have: #!/usr/bin/perl -w

Troubleshoot: Trace back from where the taint check error occures. See TWikiDebugging.

-- PeterThoeny - 17 Dec 2003

The TWiki::writeDebug led me to the following line of the mailnotify script:

    my $error = &TWiki::Net::sendEmail( $text );

The writeDebugs show up prior to that line but not after. I've searched the system for any program named sendEmail, I've searched TWiki.pm for any line with sendEmail and I've checked the TWiki directory items that it might be calling. I can't find anything that sendEmail would refer to. Since I'm not up on Perl or the TWiki code I'm not that surprised about that.

I added a TWiki::writeDebug line to the Socket.pm just prior to line 114 on line 112. The debug output has two variables in it, $sock and $addr it gives me this:

Line 112 of Socket.pm with sock, addr as Net::SMTP=GLOB(0x85cc0f0) and û

So line 114 of Socket.pm is using those two results... What do I do?

-- KevinGagel - 23 Dec 2003

Could you test this: Add the red code at line 108 of the twiki/lib/TWiki/Net.pm file:

sub sendEmail
{
    # $theText Format: "Date: ...\nFrom: ...\nTo: ...\nCC: ...\nSubject: ...\n\nMailBody..."

    my( $theText ) = @_; 
    $theText =~ /^(.*)$/s;
    $theText = $1;  # untaint mail 

    # Put in a Date header, mainly for Qmail
    my $dateStr = &TWiki::formatGmTime(time, 'email');

Please let us know if this fixes the problem.

-- PeterThoeny - 02 Jan 2004

According to ServerErrorDuringRegistration, above patch is not fixing the problem. Follow-up on that topic.

-- PeterThoeny - 02 Jan 2004

I needed the following patch to the twiki/lib/TWiki/Net.pm file from TWiki20040901.tar.gz:

--- twiki/lib/TWiki/Net.pm      2004-07-08 09:02:52.000000000 +0200
+++ twiki.new/lib/TWiki/Net.pm  2004-09-15 19:14:58.000000000 +0200
@@ -137,6 +137,7 @@
     if( ! $mailInitialized ) {
         $mailInitialized = 1;
         $mailHost  = &TWiki::Prefs::getPreferencesValue( "SMTPMAILHOST" );
+       $mailHost = $1 if($mailHost =~ /([-\@\w.]+)/);
         $helloHost = &TWiki::Prefs::getPreferencesValue( "SMTPSENDERHOST" );
         if( $mailHost ) {
           eval {       # May fail if Net::SMTP not installed

Now registration works for me, but mail notification gives an error.

I use Apache-2.0.50, Perl-5.8.4, and I have installed TWiki as a normal user in ~/public_html so it runs as a cgi-bin via suExec.

-- MarcelloNuccio - 16 Sep 2004