1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
Sorry if you don't appreciate me lumping all of these patches together.
These are various fixes I had to make when installing Ikiwiki. Some are
due it being a non-Debian system, the others are actual bugs.
--- upstream/IkiWiki/Rcs/svn.pm 2006-09-16 01:11:55.000000000 +0100
+++ main/IkiWiki/Rcs/svn.pm 2006-09-16 01:12:50.000000000 +0100
@@ -34,7 +34,7 @@
my $field=shift;
my $file=shift;
- my $info=`LANG=C svn info $file`;
+ my $info=`svn info $file`;
my ($ret)=$info=~/^$field: (.*)$/m;
return $ret;
} #}}}
@@ -140,7 +140,7 @@
if $svn_version =~ /\d\.(\d)\.\d/ && $1 >= 2;
my $svn_url=svn_info("URL", $config{srcdir});
- my $xml = XMLin(scalar `svn $svn_limit --xml -v log '$svn_url'`,
+ my $xml = XMLin(scalar `svn $svn_limit --xml -v log '$svn_url' --config-dir /tmp`,
ForceArray => [ 'logentry', 'path' ],
GroupTags => { paths => 'path' },
KeyAttr => { path => 'content' },
The first hunk of this patch is strange. It just failed to work with this
in place, and it took me a long time to figure it out. I realise what you
are trying to do, and it still works here as I use a similar LANG anyway.
For reference svn version 1.3.1 (r19032), my $LANG=en_GB.utf8, but I'm not
sure what the CGI was running under.
> That's strange. Is the problem to do with setting LANG=C or to do
> with the way it's set and exported on the same line as the svn info call?
> Can you reproduce the problem running svn info outside of ikiwiki?
> --[[Joey]]
>> I've now managed to reproduce the problem. I'll try and give some more information.
>> When going to the Recent Changes link I get
[Sat Sep 16 15:16:08 2006] [error] [client xxxx] svn: Can't check path '/home/jw2328/.subversion': Permission denied, referer: http://xxxxx/test/sandbox.html
[Sat Sep 16 15:16:08 2006] [error] [client xxxx] Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.3/IkiWiki/Rcs/svn.pm line 145., referer: http://xxxx/test/sandbox.html
[Sat Sep 16 15:16:08 2006] [error] [client xxxxx] svn: Can't check path '/home/jw2328/.subversion': Permission denied, referer: http://xxxx/test/sandbox.html
[Sat Sep 16 15:16:09 2006] [error] [client xxxx] File does not exist: at /usr/lib/perl5/site_perl/5.8.3/IkiWiki/Rcs/svn.pm line 145, referer: http://xxxx/test/sandbox.html
[Sat Sep 16 15:16:09 2006] [error] [client xxxx] Premature end of script headers: ikitest, referer: http://xxxx/test/sandbox.html
>> which the $svn_url is causing the uninitialised value, due to the
>> LANG=C it seems, as if I remove it it goes away.
>> The file does not exist is due to the unreadable .subversion.
>> echoing the LANG before it is set shows that the variable is normally
>> empty for the user that is running it.
The second removes problems with cannot access /home/$user/.svnsomething in
the logs. I think this problem was also fatal (I should have reported these
sooner).
I can try and debug these problems if you could suggest some way to do so,
but I am probably losing the server in a couple of days, so I can't be of too
much help I'm afraid.
> I imagine that passing --config-dir /tmp would be either insecure or
> would limit ikiwiki use to one user per machine.
> `--config-dir /etc/subversion` might be better, though still a hack,
> since a user's real ~/.subversion might be needed to access some repos.
>
> Maybe I didn't notice this problem since I have a ~/.subversion
> everywhere that I've used ikiwiki. Hmm, no, I don't reproduce it, svn
> happily recreated the directory during an ikiwiki run after I moved it
> out of the way here. Maybe an issue with old versions of svn? Although
> AFIACR, svn has auto-created ~/.subversion for years.
>
> What's the error message? --[[Joey]]
>> `svn: Can't check path '/home/jw2328/.subversion': Permission denied,`
>> where jw2328 is my usual user.
>> I have restrictive permissions of 0700 on home dirs on the server,
>> and the CGI is running as uid apache, euid root. (Not my setup anymore).
>> The way I had it set up, was jw2328 owning thesource dir, and the svn repo,
>> with g+sw on them both. I ran sudo ikiwiki --setup though, as I was reluctant
>> to adjust permissions on my cgi-dir. This seems to be the root of the
>> problem.
>>> Ah, I think it's better to keep the permissions of the repository
>>> and source directory sane (755) and make the cgi suid to your user,
>>> which is how it's designed to work.
>>>> I realise that now, and I now have a much more sane setup that works.
----
--- IkiWiki.pm
+++ IkiWiki.pm
@@ -734,7 +734,18 @@
my $page=shift;
my $spec=shift;
- return eval pagespec_translate($spec);
+ my $pagespec = pagespec_translate($spec);
+
+ my $newpagespec;
+
+ local($1);
+ if ($pagespec =~ /(.*)/) {
+ $newpagespec = $1;
+ } else {
+ die "oh";
+ }
+
+ return eval $newpagespec;
} #}}}
sub match_glob ($$) { #{{{
This works around a silly, but extremely annoying, taint bug in older
versions of perl. I'm not sure of the details, but it means that either
values become tainted from nowhere, or they don't get untainted possibly.
This also affects backports to sarge. `"oh"` is not going to be very
informative if that code path is ever taken, but I hope that it never is.
> You're not the first person to report a problem here with older versions
> of perl and pagespec tainting. I suspect that this would work around it:
return eval possibly_foolish_untaint(pagespec_translate($spec));
> I'm _very_ uncomfortable putting that in the shipping version of ikiwiki,
> because pagespecs are potentially _insanely_ dangerous, given how they're
> evaled and all. The tainting is the only sanity check there is that
> `pagespec_translate` manages to clean up any possibly harmful perl code
> in a pagespec. It's good to have belt and suspenders here.
>
> For all I know, older versions of perl are keeping it tainted because
> `pagespec_translate` is somehow broken under old versions of perl and is
> in fact not fully untainting the pagespec. Ok, probably not, it's more
> likely that some of the regexps in there don't manage to clear the taint
> flag with old versions of perl, while still doing a perfectly ok job of
> sanitising the pagespec.
>
> I suppose that the version of perl ($^V) could be checked and the untaint
> only be called for the old version. Though it seems it would be better
> to try to debug this some first. Maybe instrumenting `pagespec_translate`
> with calls to Scalar::Utils's tainted() function and seeing which parts
> of pagespecs arn't getting untainted would be a good start.
>
> --[[Joey]]
>> It seems like it is always the (with instrumentation)
elsif ($word =~ /^(link|backlink|created_before|created_after|creation_month|creation_year|creation_day)\((.+)\)$/) {
warn("\$1 tainted=".tainted($1).", \$2 tainted=".tainted($2)." \$code tainted=".tainted($code));
$code.=" match_$1(\$page, ".safequote($2).")";
warn("\$1 tainted=".tainted($1).", \$2 tainted=".tainted($2)." \$code tainted=".tainted($code));
warn("safequote tainted=".tainted(safequote($2)));
}
>> bit that causes it. With the following trace:
$1 tainted=0, $2 tainted=0 $code tainted=0 at IkiWiki.pm line 718.
$1 tainted=0, $2 tainted=0 $code tainted=1 at IkiWiki.pm line 720.
safequote tainted=0 at IkiWiki.pm line 721.
>> which shows that `$code` appears to become tainted from nowhere.
>> <http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200509.mbox/%3C3838.431C7D9B.5F152B8F.dev@spamassassin.apache.org%3E>
>> is what pointed me to find the problem/workaround.
>>> Given that verification, an untaint contingent on the value of $^V
>>> sounds reasonable and I'd accept such a patch. I'm not quite sure which
>>> version(s) of perl it should check for.
>>>> I'm not going to write one though. I don't know what versions either,
>>>> but I think the evil of the special case is too much in this case. If
>>>> you are happy to insist on a newer version of perl then I will leave
>>>> it at that and sort something out locally. If you want the patch I will
>>>> code it though, as I realise you may want to support sarge installs.
|