Return-Path: 
 <test-dev-return-302-apmail-httpd-test-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-test-dev-archive@httpd.apache.org
Received: (qmail 57647 invoked by uid 500); 6 Sep 2001 14:12:54 -0000
Mailing-List: contact test-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: test-dev@httpd.apache.org
list-help: <mailto:test-dev-help@httpd.apache.org>
list-unsubscribe: <mailto:test-dev-unsubscribe@httpd.apache.org>
list-post: <mailto:test-dev@httpd.apache.org>
Delivered-To: mailing list test-dev@httpd.apache.org
Received: (qmail 57619 invoked from network); 6 Sep 2001 14:12:54 -0000
Date: Thu, 6 Sep 2001 22:10:14 +0800 (SGT)
From: Stas Bekman <stas@stason.org>
X-X-Sender: <stas@stas.singnet.com.sg>
To: <test-dev@httpd.apache.org>
Subject: Re: cvs commit: httpd-test/perl-framework/Apache-Test/lib/Apache
 TestConfig.pm TestConfigParse.pm
In-Reply-To: <Pine.LNX.4.33.0109061446230.3647-100000@slippy.rat>
Message-ID: <Pine.LNX.4.33.0109062200080.16045-100000@stas.singnet.com.sg>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

> > > This breaks on mine even though $httpd is an absolute path at this point.
> >
> > You mean if you don't add the patch from above?
>
> >From a clean, current CVS checkout:

BTW, be aware of the HEAD httpd-2.0, somebody has broken the source file
used by httpd-2.0, nothing will work if you update this build.

> % cd httpd-test/perl-framework
> % export PATH=/path/to/httpd-and-apxs:$PATH
> % perl Makefile.PL
> % make
> % t/TEST -start-httpd
> setting ulimit to allow core files
> ulimit -c unlimited
>  exec t/TEST -start-httpd
> cannot build c-modules without apxs
> no test server configured, please specify an httpd or apxs or put either in your PATH

That's because you have to configure it:

perl Makefile.PL apxs /path/to/httpd/bin/apxs

I think README says that. Or you should run:

t/TEST httpd /path/to/apache/bin/httpd -start

> > > I'm not familiar enough with Perl to know why this should be, but is there
> > > a better way (like $ENV{PATH} = '/bin:/usr/bin' unless $httpd =~ m:^/:;).
> > > Would that successfully untaint it?
> >
> > It's not about being absolute path or not, it's about opening "-|", which
> > is insecure if $ENV{PATH} is not untainted.
>
> I don't really think I understand this line:
>
> |    open my $v, '-|', $cmd or die "$cmd failed: $!";
>
> As far as I see it, '-|' means perform an explicit fork, with return
> value of open being child pid in the parent and 0 in the child. From what
> I see, it looks like you should be doing either of these two:
>
> |    open my $v, "$httpd|" or die "$cmd failed: $!";

that's the triple args open which is safer than two args open. It's the
same as:

open my $v, "$httpd|" or die "$cmd failed: $!";

See the output of:

% perldoc -f open

               If the filename begins with "'|'", the filename is
               interpreted as a command to which output is to be
               piped, and if the filename ends with a "'|'", the
               filename is interpreted as a command which pipes
               output to us.  See the Using open() for IPC entry
               in the perlipc manpage for more examples of this.
               (You are not allowed to "open" to a command that
               pipes both in and out, but see the IPC::Open2
               manpage, the IPC::Open3 manpage, and the
               Bidirectional Communication with Another Process
               entry in the perlipc manpage for alternatives.)

               If MODE is "'|-'", the filename is interpreted as
               a command to which output is to be piped, and if
               MODE is "'-|'", the filename is interpreted as a
               command which pipes output to us.  In the


> |    open my $v, '-|' or exec $httpd or die "$cmd failed: $!";
>
> I'm not saying that your code is _wrong_: I'm saying I don't understand
> it. I can see what your line does, but now how it does it or why '-|' is
> insecure.

whenever '|' is used in the open() call, $ENV{PATH} and a few other env
vars have to be untainted. See the perlsec manpage.

the triple args open() is safer than double, becase the latter invokes
shell and then one can try to slide in something like "filename; rm -rf
/", whereas with the former the sysopen() is used instead and no shell
interpretation problems happen.

> > > I can't tell, since mine doesn't complain about it being tainted at this
> > > point and I can't figure out a way to make it do so. Why do you need to
> > > untaint here anyway? Is this something from mod_perl? I'm confused!
> >
> > What's your Perl version? perl -v ?
>
> v5.6.1

just almost like me. I'm running 5.7.1

> I'm just running it as my UID, so would taint checking happen anyway?

Yup. Don't confuse taint problems with setuid problems. Taint things are
the same no matter what your UID is.


_____________________________________________________________________
Stas Bekman              JAm_pH     --   Just Another mod_perl Hacker
http://stason.org/       mod_perl Guide  http://perl.apache.org/guide
mailto:stas@stason.org   http://apachetoday.com http://eXtropia.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/