Question

I've some problem with this plugin, when I try to access the ChartPlugin page I get the following error:

TWiki detected an internal error - please check your TWiki logs and webserver logs for more information.

Insecure dependency in eval while running with -T switch

In the apache2 error log I get that:

Insecure dependency in eval while running with -T switch at /usr/local/lib/perl5/site_perl/5.10.0/i686-linux-thread-multi/GD.pm line 95.
 at /usr/local/lib/perl5/site_perl/5.10.0/i686-linux-thread-multi/GD.pm line 95
        GD::AUTOLOAD() called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins/ChartPlugin/Chart.pm line 1040
        TWiki::Plugins::ChartPlugin::Chart::makeChart('TWiki::Plugins::ChartPlugin::Chart=HASH(0xb1c0618)') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins/ChartPlugin.pm line 562
        TWiki::Plugins::ChartPlugin::_makeChart('TWiki::Plugins::ChartPlugin=HASH(0xb1c0548)', undef, 'ChartPlugin', 'TWiki') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins/ChartPlugin.pm line 627
        TWiki::Plugins::ChartPlugin::commonTagsHandler('---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'ChartPlugin', 'TWiki', 0, 'TWiki::Meta=HASH(0xabfc730)') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugin.pm line 266
        TWiki::Plugin::invoke('TWiki::Plugin=HASH(0xa530f20)', 'commonTagsHandler', '---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'ChartPlugin', 'TWiki', 0, 'TWiki::Meta=HASH(0xabfc730)') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins.pm line 344
        TWiki::Plugins::_dispatch('TWiki::Plugins=HASH(0xa214ec8)', 'commonTagsHandler', '---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'ChartPlugin', 'TWiki', 0, 'TWiki::Meta=HASH(0xabfc730)') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins.pm line 480
        TWiki::Plugins::commonTagsHandler('TWiki::Plugins=HASH(0xa214ec8)', '---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'ChartPlugin', 'TWiki', 0, 'TWiki::Meta=HASH(0xabfc730)') called at /srv/www/htdocs/twiki420/lib/TWiki.pm line 2864
        TWiki::handleCommonTags('TWiki=HASH(0xa05de08)', '---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'TWiki', 'ChartPlugin', 'TWiki::Meta=HASH(0xabfc730)') called at /srv/www/htdocs/twiki420/lib/TWiki/UI/View.pm line 396
        TWiki::UI::View::_prepare('---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'TWiki=HASH(0xa05de08)', 'TWiki', 'ChartPlugin', 'TWiki::Meta=HASH(0xabfc730)', 0) called at /srv/www/htdocs/twiki420/lib/TWiki/UI/View.pm line 377
        TWiki::UI::View::view('TWiki=HASH(0xa05de08)') called at /srv/www/htdocs/twiki420/lib/TWiki/UI.pm line 159
        TWiki::UI::__ANON__() called at /usr/local/lib/perl5/site_perl/5.10.0/Error.pm line 415
        eval {...} called at /usr/local/lib/perl5/site_perl/5.10.0/Error.pm line 407
        Error::subs::try('CODE(0x84794d0)', 'HASH(0xace16b0)') called at /srv/www/htdocs/twiki420/lib/TWiki/UI.pm line 197
        TWiki::UI::run('CODE(0xa207e90)', 'view', 1) called at /srv/www/htdocs/twiki420/bin/view line 32
        ModPerl::ROOT::ModPerl::Registry::srv_www_htdocs_twiki420_bin_view::handler('Apache2::RequestRec=SCALAR(0x8479400)') called at /usr/local/lib/perl5/site_perl/5.10.0/i686-linux-thread-multi/ModPerl/RegistryCooker.pm line 204
        eval {...} called at /usr/local/lib/perl5/site_perl/5.10.0/i686-linux-thread-multi/ModPerl/RegistryCooker.pm line 204
        ModPerl::RegistryCooker::run('ModPerl::Registry=HASH(0x8479520)') called at /usr/local/lib/perl5/site_perl/5.10.0/i686-linux-thread-multi/ModPerl/RegistryCooker.pm line 170
        ModPerl::RegistryCooker::default_handler('ModPerl::Registry=HASH(0x8479520)') called at /usr/local/lib/perl5/site_perl/5.10.0/i686-linux-thread-multi/ModPerl/Registry.pm line 31
        ModPerl::Registry::handler('ModPerl::Registry', 'Apache2::RequestRec=SCALAR(0x8479400)') called at -e line 0
        eval {...} called at -e line 0.

Thanks you in advance...

Environment

-- IvanSassi - 13 Mar 2008

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

(I moved this support question from ChartPluginDev to here.)

Not sure why. For testing, try to disable mod_perl.

-- PeterThoeny - 13 Mar 2008

I've disabled the mod_perl with no result...

From the page I continue to get the following error:

TWiki detected an internal error - please check your TWiki logs and webserver logs for more information.

Insecure dependency in eval while running with -T switch

In the apache2 error log the error is that:

Insecure dependency in eval while running with -T switch at /usr/local/lib/perl5/site_perl/5.10.0/i686-linux-thread-multi/GD.pm line 95.
 at /usr/local/lib/perl5/site_perl/5.10.0/i686-linux-thread-multi/GD.pm line 95
        GD::AUTOLOAD() called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins/ChartPlugin/Chart.pm line 1040
        TWiki::Plugins::ChartPlugin::Chart::makeChart('TWiki::Plugins::ChartPlugin::Chart=HASH(0x93648c0)') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins/ChartPlugin.pm line 562
        TWiki::Plugins::ChartPlugin::_makeChart('TWiki::Plugins::ChartPlugin=HASH(0x93647f0)', undef, 'ChartPlugin', 'TWiki') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins/ChartPlugin.pm line 627
        TWiki::Plugins::ChartPlugin::commonTagsHandler('---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'ChartPlugin', 'TWiki', 0, 'TWiki::Meta=HASH(0x8d81370)') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugin.pm line 266
        TWiki::Plugin::invoke('TWiki::Plugin=HASH(0x86a95d0)', 'commonTagsHandler', '---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'ChartPlugin', 'TWiki', 0, 'TWiki::Meta=HASH(0x8d81370)') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins.pm line 344
        TWiki::Plugins::_dispatch('TWiki::Plugins=HASH(0x8383eb8)', 'commonTagsHandler', '---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'ChartPlugin', 'TWiki', 0, 'TWiki::Meta=HASH(0x8d81370)') called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins.pm line 480
        TWiki::Plugins::commonTagsHandler('TWiki::Plugins=HASH(0x8383eb8)', '---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'ChartPlugin', 'TWiki', 0, 'TWiki::Meta=HASH(0x8d81370)') called at /srv/www/htdocs/twiki420/lib/TWiki.pm line 2864
        TWiki::handleCommonTags('TWiki=HASH(0x8066e78)', '---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'TWiki', 'ChartPlugin', 'TWiki::Meta=HASH(0x8d81370)') called at /srv/www/htdocs/twiki420/lib/TWiki/UI/View.pm line 396
        TWiki::UI::View::_prepare('---+ Chart Plugin (v1.401)\x{a}\x{a}This plugin creates PNG or GIF ch...', 'TWiki=HASH(0x8066e78)', 'TWiki', 'ChartPlugin', 'TWiki::Meta=HASH(0x8d81370)', 0) called at /srv/www/htdocs/twiki420/lib/TWiki/UI/View.pm line 377
        TWiki::UI::View::view('TWiki=HASH(0x8066e78)') called at /srv/www/htdocs/twiki420/lib/TWiki/UI.pm line 159
        TWiki::UI::__ANON__() called at /usr/local/lib/perl5/site_perl/5.10.0/Error.pm line 415
        eval {...} called at /usr/local/lib/perl5/site_perl/5.10.0/Error.pm line 407
        Error::subs::try('CODE(0x804e980)', 'HASH(0x8e5b590)') called at /srv/www/htdocs/twiki420/lib/TWiki/UI.pm line 197
        TWiki::UI::run('CODE(0x8374b78)', 'view', 1) called at /srv/www/htdocs/twiki420/bin/view line 32.

-- IvanSassi - 19 Mar 2008

I guess the problem is related to using the "brand new" Perl 5.10, and I expect to see more of this type of error in the future, not only with ChartPlugin and GD.pm. Perl until 5.8.8 has a "bug" which always has the $AUTOLOAD variable untainted, see http://www.nntp.perl.org/group/perl.perl5.porters/2006/07/msg114677.html.

Ivan: please could you check whether a plain sample script using GD.pm runs under Perl 5.10 with the -T switch set? If not, you could try to report to the GD.pm maintainer - or maybe there's already an update? If your sample script works, we'll have a hard time to debug ChartPlugin

-- HaraldJoerg - 20 Mar 2008

I'm not a perl programmer, I can surely test a script on my system but I have some serious problem to write a script that is testing... someone can give me an hint?

-- IvanSassi - 21 Mar 2008

I tested the GD.pm with the following script:

#!/usr/bin/perl -w
use strict;

use CGI qw( header );
use GD;

my($cgi) = CGI->new();
my($img) = GD::Image->new(300,300);

my($sixteen) =
   [
      [255,255,255], [000,000,000], [000,000,128], [000,000,255],
      [000,128,000], [000,128,128], [000,255,000], [000,255,255],
      [128,000,000], [128,000,128], [128,128,000], [128,128,128],
      [192,192,192], [255,000,000], [255,000,255], [255,255,000],
   ];

foreach (@$sixteen) { $img->colorAllocate(@$_) }

shift(@$sixteen);

for (my($i) = 0; $i < @$sixteen; ++$i) {

   $img->string
      (
         gdGiantFont,
         20, (($i + 1) * 15),
         q[Hello World!],
         $img->colorExact(@{ $$sixteen[$i] }),
      )
}

print($cgi->header('img/gif'));

binmode(STDOUT);

print($img->png()) and exit;

No insecure dependency neither from the browser (using the same mod_perl used with TWiki) nor from shell (launching it with perl -wT)... the script works fine...

I fear that isn't a perl problem...

-- IvanSassi - 26 Mar 2008

The "Insecure dependency in eval while running with -T switch" message is an indication that data fed to GD is "tainted", e.g. received from an external data source. Learn more at http://perldoc.perl.org/perlsec.html and http://www.webreference.com/programming/perl/taint/. Your example works OK because all data is defined locally in your test program.

I suspect that the GD version you are using is a bit more strict with taint checking than earlier versions. Someone needs to investigate what data passed to GD via the ChartPlugin is tainted. The data needs to be cleaned and untainted. Unfortunately I do not have the bandwidth to do that. You can ask one of the ConsultantsForHire.

-- PeterThoeny - 26 Mar 2008

I asked my counting business unit for authorize me to hire some perl programmer for investigate on this problem but they still don't have approved my request... I hope that someone will manage to give it a look in his spare time cause the timetable for the investments on research and development bu is all but short...

Ah, for the record, the same identical issue is present on EasyTimelinePlugin and GnuPlotPlugin...

-- IvanSassi - 08 May 2008

I also observed this issue on my Debian system, which is running perl 5.10, and the libgd-gd2-perl 2.39-2 debian package...(trying to use the ChartPlugin)...

-- ChristopherTracy - 06 Jul 2008

I get a similar error in EasyTimelinePlugin with perl 5.8. But only on the initial load. If I hit refresh, it works.

| 2008-07-30 - 10:09 | Couldn't untaint D:/tmp/EasyTimelinePlugin3748 at D:/Prd/perl/lib/CGI/Carp.pm line 319.
 at D:/Prd/perl/lib/CGI/Carp.pm line 319
   CGI::Carp::realdie('Couldn\'t untaint D:/tmp/EasyTimelinePlugin3748') called at D:/Prd/perl/lib/CGI/Carp.pm line 394
   CGI::Carp::die('Couldn\'t untaint D:/tmp/EasyTimelinePlugin3748') called at D:\Prd\TWiki\lib/TWiki/Plugins/EasyTimelinePlugin.pm line 276
   TWiki::Plugins::EasyTimelinePlugin::cleanTmp('D:/tmp/EasyTimelinePlugin3748') called at D:\Prd\TWiki\lib/TWiki/Plugins/EasyTimelinePlugin.pm line 225
   TWiki::Plugins::EasyTimelinePlugin::handleTimeline('\x{a}# Mandatory commands\x{a}ImageSize = width:500 height:500\x{a}PlotAr...') called at D:\Prd\TWiki\lib/TWiki/Plugins/EasyTimelinePlugin.pm line 120
   TWiki::Plugins::EasyTimelinePlugin::commonTagsHandler('---++ Timeline Demo\x{a}   * !EasyTimelinePlugin: at [[TWiki:Plug...', 'SeanTimeline', 'Sandbox', 0, 'TWiki::Meta=HASH(0x21a62ac)') called at D:\Prd\TWiki\lib/TWiki/Plugin.pm line 266
   TWiki::Plugin::invoke('TWiki::Plugin=HASH(0x1ee78a4)', 'commonTagsHandler', '---++ Timeline Demo\x{a}   * !EasyTimelinePlugin: at [[TWiki:Plug...', 'SeanTimeline', 'Sandbox', 0, 'TWiki::Meta=HASH(0x21a62ac)') called at D:\Prd\TWiki\lib/TWiki/Plugins.pm line 344
   TWiki::Plugins::_dispatch('TWiki::Plugins=HASH(0x18eb0dc)', 'commonTagsHandler', '---++ Timeline Demo\x{a}   * !EasyTimelinePlugin: at [[TWiki:Plug...', 'SeanTimeline', 'Sandbox', 0, 'TWiki::Meta=HASH(0x21a62ac)') called at D:\Prd\TWiki\lib/TWiki/Plugins.pm line 480
   TWiki::Plugins::commonTagsHandler('TWiki::Plugins=HASH(0x18eb0dc)', '---++ Timeline Demo\x{a}   * !EasyTimelinePlugin: at [[TWiki:Plug...', 'SeanTimeline', 'Sandbox', 0, 'TWiki::Meta=HASH(0x21a62ac)') called at D:\Prd\TWiki\lib/TWiki.pm line 2864
   TWiki::handleCommonTags('TWiki=HASH(0x227cd4)', '---++ Timeline Demo\x{a}   * !EasyTimelinePlugin: at [[TWiki:Plug...', 'Sandbox', 'SeanTimeline', 'TWiki::Meta=HASH(0x21a62ac)') called at D:\Prd\TWiki\lib/TWiki/UI/View.pm line 396
   TWiki::UI::View::_prepare('---++ Timeline Demo\x{a}   * !EasyTimelinePlugin: at [[TWiki:Plug...', 'TWiki=HASH(0x227cd4)', 'Sandbox', 'SeanTimeline', 'TWiki::Meta=HASH(0x21a62ac)', 0) called at D:\Prd\TWiki\lib/TWiki/UI/View.pm line 377
   TWiki::UI::View::view('TWiki=HASH(0x227cd4)') called at D:\Prd\TWiki\lib/TWiki/UI.pm line 159
   TWiki::UI::__ANON__() called at D:\Prd\TWiki\lib/CPAN/lib//Error.pm line 379
   eval {...} called at D:\Prd\TWiki\lib/CPAN/lib//Error.pm line 371
   Error::subs::try('CODE(0x226ff0)', 'HASH(0x218f65c)') called at D:\Prd\TWiki\lib/TWiki/UI.pm line 197
   TWiki::UI::run('CODE(0x18c6260)', 'view', 1) called

-- SeanCMorgan - 31 Jul 2008

Line 1040

        GD::AUTOLOAD() called at /srv/www/htdocs/twiki420/lib/TWiki/Plugins/ChartPlugin/Chart.pm line 1040

refers to gdStyled which is, as best as I can figure a constant. As a workaround, and not really understanding how to untaint AUTOLOAD ( I know -- shame on me ) I replaced gdStyled with -2. It looks like if the constant is not found, then AUTOLOAD is called. I think the right constant is -2, but I'm not sure. See line 1164 also.

It doesn't choke now, anyway. I'll test some more and see if it actually makes dotted lines. (see GD.pm -- http://www.ice.mtu.edu/~jamyles/docs/fe/unix/perl/lib/perl5/GD.pm)

-- GeraldSkerbitz - 13 Nov 2008

I have had the same problem after installing TWiki 4.2.3 and ChartPlugin on Ubuntu 8.10/Intrepid. As with Gerald, replacing gdStyled with -2 seems to work, but surely there is a better solution than this?

-- EdMcDonagh - 24 Nov 2008

I filed TWikibug:Item6160

-- PeterThoeny - 02 Jan 2009

This is now fixed in SVN:ChartPlugin trunk and Plugins.ChartPlugin. See also TWikibug:Item6160.

-- PeterThoeny - 2010-04-08