Question
Hi folks. My new Twiki installation will not accept attachments. The server error log shows: Insecure dependency in open while running with -T switch at /usr/lib/perl5/5.6.1/File/Copy.pm line 97. [Thu Oct 24 17:00:16 2002][error] [client 192.168.0.100] Premature end of script headers: /usr/local/httpd/twiki/bin/upload I'm aware of the IE upload issue. This is failing consistently with IE5.5, Mozilla 1.1, and Opera 6. Here's what I've done so far:
- Double-checked file & directory owner (wwwrun:nogroup) & permissions (typically 755)
- Tried permissions 777 on the upload directory and script
- Double-checked httpd.conf against latest installation docs
- Played with the untaint code in twiki/bin/upload (NB: my perl is at the knows-just-enough-to-be-dangerous level)
- Applied what appeared to be a relevant patch to Copy.pm (link
)
- TWiki version: 01 Dec 2001
- Web server: Apache 1.3.23
- Server OS: SuSE 8.0; patches up to date as of 01 Oct 2002
- Web browsers: IE5.5; Mozilla 1.1; Opera 6.05
- Client OS: Win2K
- Perl: 5.6.1
- Base installation: /usr/local/httpd/twiki
- CGI user per testenv: wwwrun:nogroup (RCS files patched)
Answer
Thanks for providing this level of detail, makes it much easier to help! Inlib/TWiki/Store.pm at about line 764, you should see this code:
my $newFile = "$tempPath/$attachment";
copy($theTmpFilename, $newFile) or warn "copy($theTmpFilename, $newFile) failed: $!";
This is a call to File::Copy, which is failing when opening either the From or To files (can't tell as my 5.6.1 copy of File::Copy.pm is a bit different to yours).
Put some TWiki writeDebug calls in just before the copy to find out the values of all the variables, and then check debug.txt - see TWikiDebugging for more information.
See TaintChecking for more on tainting - as you say, turning this off is a bad idea for normal use. Also, see SoftwareErrorInsecureDependency which is similar, and mentions the userid changing - perhaps there is something unusual about your setup, e.g. cgiwrap or suexec causing the userid to change?
-- RichardDonkin - 29 Oct 2002
I had essentially the same problem:
Insecure dependency in open while running with -T switch at /usr/lib/perl5/5.8.0/File/Copy.pm line 130. [Thu Nov 28 23:30:26 2002] [error] [client 66.57.236.42] Premature end of script headers: /home/httpd/twiki/bin/uploadI temporarily added 'use diagnostics;' to the upload file right after the 'use TWiki;' line. That produced:
Insecure dependency in open while running with -T switch at
/usr/lib/perl5/5.8.0/File/Copy.pm line 130 (#1)
(F) You tried to do something that the tainting mechanism didn't like.
The tainting mechanism is turned on when you're running setuid or
setgid, or when you specify -T to turn it on explicitly. The
tainting mechanism labels all data that's derived directly or indirectly
from the user, who is considered to be unworthy of your trust. If any
such data is used in a "dangerous" operation, you get this error. See
perlsec for more information.
Uncaught exception from user code:
Insecure dependency in open while running with -T switch at /usr/lib/perl5/5.8.0/File/Copy.pm line 130.
File::Copy::copy('/usr/tmp/CGItemp23818','/home/httpd/twiki/pub/Test/TestTopic1/_viminfo') called at ../lib/TWiki/Store.pm line 764
TWiki::Store::saveAttachment('Test','TestTopic1','','','_viminfo',1,1,'','',...) called at /home/httpd/twiki/bin/upload line 375
main::main() called at /home/httpd/twiki/bin/upload line 33
[Thu Nov 28 23:34:45 2002] [error] [client 66.57.236.42] Premature end of script headers: /home/httpd/twiki/bin/upload
To fix the problem, I added code to untaint the filename after it has had any special characters deleted:
*** upload 2002-11-28 23:03:17.000000000 -0500
--- /home/httpd/twiki/bin/upload 2002-11-28 23:42:42.000000000 -0500
***************
*** 354,359 ****
--- 354,367 ----
$fileName = $pathza[$#pathza];
$fileName =~ s/[^A-Za-z0-9_\.\-]//go; # delete special characters
$fileName =~ s/$TWiki::uploadFilter/$1\.txt/goi; # apply security filter
+ # De-taint
+ if ($fileName =~ /^(.+)$/) {
+ $fileName = $1;
+ } else {
+ handleError( $noredirect,
+ "Filename does not have any characters after deleting special characters",
+ $query, $webName, $topic, "oopsupload", $filePath );
+ }
# Update
my $text1 = "";
I hope this helps someone.
-- RobWest - 29 Nov 2002
Thanks for the patch! You didn't say which file or release your patch is against, but I guess it is TWiki::Store... See the PatchGuidelines for some ideas on how to make patches easier to apply and incorporate.
It would also be useful to know your environment, e.g. server OS etc. If you can grab the latest testenv (see SupportGuidelines) and provide its output, that will also tell us the version of CGI.pm, the userid under which you are running, and so on. Are you using cgiwrap/suexec as well?
This may be due to Perl 5.8 changing the TaintChecking rules, but the original problem was on 5.6.1 so maybe not. See also UsingPerl58OnRedHat8 if you are on Red Hat 8.
-- RichardDonkin - 29 Nov 2002
Sorry...got a little ahead of myself. I changed the diff above to use the -c option which clearly shows the file name (upload) and context. The TWiki release I'm using is from 01-Dec-2001 (Happy birthday, TWiki!). My server OS (and only client so far) is Mandrake Linux 9.0. Web server is Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/5mdk). Browser is Mozilla 1.1. CGI user is apache:apache. Here's some data from testenv:
Perl version:5.8.0
Required Perl modules: CGI (2.89) CGI::Carp (1.24) File::Copy (2.05)
-- RobWest - 01 Dec 2002 
Site map
Blog web
Search
Changes
RSS Feed
Notifications
Statistics
Preferences
Register new user
Support Forum 
Ask a question
Open questions 
My recent questions
Get quick help in #twiki IRC channel
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.