Question

I am having the following problems that I think are related to the taint issue:

When I click the Edit link the last character of the html end tag is left off resulting in </htm being displayed at the end of the page.

Sometimes when I click the Preview button, the preview page gets HTTP header data inserted at the top. For example:

>HTTP/1.1 200 OK Date: Thu, 06 Mar 2003 21:06:03 GMT Server: Apache/1.3.20 (Win32) mod_jk/1.1.0 mod_perl/1.27_01-dev Keep-Alive: timeout=15, max=96 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=ISO-8859-1 f01

Sometimes when I click preview after doing an edit, I get a page cannot be displayed error

When I click on Diff I get the following message at the end of the diff page: Insecure dependency in unlink while running with -T switch at d:/twiki/lib/TWiki/Store/RcsWrap.pm line 265.

When I click on any of the versions, Apache starts using about 50% of the server CPU and no response is returned to the browser.

One issue that might affect these problems I'm wondering is that I deleted the ,v rcs files after installing (as per the instructions I read.

My twiki directories are set up as follows:

d:\twiki

d:\twikidata\data

d:\twikiUnixSupportFiles

I've attached my twiki.cfg

Here is the twiki specific portion of my httpd.conf

LoadModule perl_module modules/mod_perl.so
AddModule mod_perl.c

Alias /twiki/ "D:/twiki/"
ScriptAlias /twiki/bin/ "D:/twiki/bin/"
        
<Directory  "D:/twiki/bin/">
   AllowOverride All
   Allow From All
   Options  ExecCGI

    # Use CGI Perl
    # SetHandler cgi-script

    # Use mod_perl
    SetHandler perl-script
    PerlHandler Apache::Registry
    PerlSendHeader On   
</Directory>

<IfModule mod_perl.c>
    PerlTaintCheck On
</IfModule>

<IfModule mod_env.c>
   # Environment setup required to run Apache as service or as a
   # standalone process.

   # Adjust TZ for your server timezone, e.g. EST5EDT - put the non-daylight-savings
   # timezone code first (e.g. EST or GMT), followed by the number of hours that it's behind GMT 
   # during non-daylight-savings time (use '-5' for timezones in advance of GMT).
   SetEnv TZ EST7EDT
   SetEnv RCSINIT -x,v/
   SetEnv RCS_LF_ONLY 1
   # Adjust TEMP and TMP for your server and create directories if necessary
   SetEnv TEMP c:/temp
   SetEnv TMP c:/temp
   SetEnv LOGNAME system
   SetEnv HOME d:/twiki
</IfModule>

• TWiki version: Version: 01 Feb 2003
• Perl version: ActivePerl 5.6.1.635
• Web server & version: Apache
• Server OS: Windows 2000
• Web browser & version: IE 6.0
• Client OS: Windows XP

• TWiki.cfg: My Twiki config file

-- JoelDuffin - 06 Mar 2003

Hi!

Me having the same problem...

-- JoergWeichelt - 28 Jul 2003

Answer

I get the same two problems. I suspect that like me you are running TWiki on Windows, Apache + ModPerl according to the WindowsCookbookInstallModPerl

I don't have an answer for you, sorry, but I am hoping the Core Team could at least have a look at the problem of: Insecure dependency in unlink while running with -T switch at d:/twiki/lib/TWiki/Store/RcsWrap.pm line 265.

-- MartinCleaver - 17 Jul 2003

I'm having a similiar problem on Linux w/ Apache + mod_perl. It seems to have mainly after I click "Preview changes" or I click 'Cancel'. Its not always reproducible... but it does happen about 15 or 20% of the time. I will either get "l>" on the screen (and nothing else...probably end of ) or I will get the same as above plus bunch of http headers plus the rendered page.

Things I noticed:

1. it only happens on IE. Mozilla 1.4 & Moz Phoenix, doesn't seem to happen.
2. I don't see any entries in the error logs when the 'l>' happens. but if the "l>" and the rest of it happens then i do see entries
3. The problem goes away when i disable keepalives for IE (by adding this in the virtualhost:

      SetEnvIf User-Agent ".*MSIE.*"  nokeepalive
      

Oh, and I was just trying to reproduce it here at this other windows machine with IE. And I can seem to reproduce it 95% (with keepalive still on) by refreshing the edit page over and over and over. eventually , edit, and/or cancel button would give "'l>' plus headers plus page" error pretty much 100%.

So looks like maybe Twiki is trying to do weird things with the headers and confuses IE's keepalive system or atleast handling of each request. Or a bug in Apache::Registry... or bug in IE being accidentally exploited in my case. Guessing here, that the 'l>' case is possibly from the end of the previous request. and then when it does 'l>' + headers + html, still has 2 letters from previous request and then the headers + html of the current request.

Also when I refresh the cancel page or the edit page, sometimes I get the all the html as just text (i.e. no html rendering by IE).

Anyway, just recounting the problem I had. I'm sure its something in Twiki, and since I just started looking at Twiki (let alone the source), I can't say. I develop mod_perl apps (on a small scale), and have never seen that happen.

AND after I disabled keepalives in apache for IE, the problem goes away.

[Late Edit: I am using the Feb 2003 Release]

-- ImranNiazi - 30 Jul 2003

Hmm, I just noticed that there are couple of other Topics discussing the incomplete html tag and/or headers in the html.

Is there a main mod_perl problems page? Do we need a ModPerlIsGood topic? I can create one to just link to other mod_perl problems & issues people have had, features they are looking for, configuration stuff, etc. and other wholesome goodness that is mod_perl? Basically a link site to other topics, categorised.

-- ImranNiazi - 31 Jul 2003

I had same issue with "Preview Changes". I'm running TWiki Feb 2003 and Apache on W2K without CygWin. I added a couple of spaces and a carriage return to to the end of preview.tmpl file and the problem with <htm and the Header data went away. I then did the same for edit.tmpl file. However, I now, periodically, get blank pages which require me to refresh. I realize it not a solution, nor a work around, but it might help explain the cause. In any case it looks better than getting Header data.

-- BoHanchuk - 12 Aug 2003

This might be ExtraneousLineInHttpHeader - try the patch on that page. If it does fix this, that page should be added to the known issues for TWikiRelease01Feb2003. This fix will already be in the TWikiBetaRelease.

-- RichardDonkin - 12 Aug 2003

The quick fix to the WindowsTaintProblem is to set PerlTaintCheck to off in httpd.conf

-- NeilMcCurdy - 14 Sep 2003

That's not a good idea for security reasons - see TaintChecking and SecureSetup.

-- RichardDonkin - 15 Sep 2003

About the 'Insecure' problem

I am moving a win32 apache server from

• Apache 1.3.23 (not cygwin), cygwin perl 5.6.1, cygwin RCS 5.7, TWiki 20030201

• Apache 1.3.23 (not cygwin), ActiveState perl 5.6.1, cygwin RCS 5.7, TWiki 20030201

I face the 'Insecure dependency in unlink while running with -T switch at ../lib/TWiki/Store/RcsWrap.pm line 265' problem.

I tracked this down to TWiki::RcsFile.pm; seems like the File::Spec->tmpdir(); is marked as tainted; i.e., following code works ok:

sub _mkTmpFilename
{
    $ENV{'TEMP'} = 'c:/cygwin/tmp';        # JMC: inserted line; rest unchanged
    my $tmpdir = File::Spec->tmpdir();
    my $file = _mktemp( "twikiAttachmentXXXXXX", $tmpdir );
    return File::Spec->catfile($tmpdir, $file);
}

I set the TEMP variable through the apache mod_env (and checked: if I change this, the testenv script display changes too):

<IfModule mod_env.c>
[...]
   SetEnv TEMP c:/cygwin/tmp
   SetEnv TMP c:/cygwin/tmp
[...]
</IfModule>

• How should I solve this? should I set in TWiki.cfg a variable for my tmp dir? would probably work, but this means my script will differ from the official distribution. I would prefer to avoid.
• Why does it work for the others?

-- JeanMarieClement - 20 Oct 2003

Are you saying that you get the taint error even when you have the SetEnv statements in the Apache config file? If so, something odd is happening as the line of code inserted should have the same effect - might be useful to do a line at this point to log the current value of TEMP, i.e.

    writeDebug "TEMP env variable is '$ENV{TEMP}'";

This will go into debug.txt, see TWikiDebugging.

-- RichardDonkin - 21 Oct 2003 Hi Richard,

thanks for the feedback. I tried it as you mentionned: I did not get it to output anything in the debug file; I though did not try very long because I couldn't reproduce the problem anymore. I tried to investigate what I changed since then (I went until mod_perl config, and then back to normal perl), but couldn't have it to fail again.

I'll come back if this happens again.

Thanks again,

-- JeanMarieClement - 21 Oct 2003

Ok, I'm back The problems happens again. I still cannot say why it happens. Changing the subroutine as follows:

    sub _mkTmpFilename
    {
        my $tmpdir = File::Spec->tmpdir();
        my $file = _mktemp( "twikiAttachmentXXXXXX", $tmpdir );
        TWiki::writeDebug ( "TEMP env variable is '$ENV{TEMP}'" );
        return File::Spec->catfile($tmpdir, $file);  
    }

    23 Oct 2003 - 15:50 TEMP env variable is 'c:/cygwin/tmp'

    #SetEnv TEMP c:/cygwin/tmp
    SetEnv TEMP c:/TEMP

    23 Oct 2003 - 15:52 TEMP env variable is 'c:/TEMP'

-- JeanMarieClement - 23 Oct 2003

Hei!

I have been experiencing the same taint problem. I have modified the TWiki::RcsFile.pm file and the taint error has dissapeared so far. I have added the following lines:

sub _mkTmpFilename
{
    my $t_tmpdir = File::Spec->tmpdir();  #$t_tmpdir instead of $tmpdir
    $t_tmpdir =~ /(.*)/;                  #New. Untaints the variable
    my $tmpdir =$1;                       #New
    my $file = _mktemp( "twikiAttachmentXXXXXX", $tmpdir );  #As before
    return File::Spec->catfile($tmpdir, $file);
}

However I still get the following error:

rcs: RCS/C:\temp\twikiAttachmentqmTRJy,v: No such file or directory

In principle it does not worry me very much because everything works fine anyway, but howevre I would like to remove that error too. Any idea?

-- HumbertoCastejon - 28 Oct 2003

I'm closing this as "Answered" because the original question transmogrified and it's been dead for some time; if these issues are still present, then please open a new support request with a clear summary of the problem.

-- CrawfordCurrie - 03 Jul 2004