Fri Jun 06 21:34:28 2014: Request 96291 was acted upon.
Transaction: Correspondence added by ETJ
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: new
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >


Confirmation from #perl on irc.perl.org - it's a deliberate change in perl 5.20.0. A quick fix would be either to explicitly set $ENV{PATH} to '/bin:/usr/bin', or skip the test for 5.20.0.

The rationale is that taint mode is rarely used anymore. The following suggestion was made:

<@mst> maybe the best way to fix the test would be to try /bin, /usr/bin, /usr/local/bin
<@mst> and see if the necessary binaries are there
<@mst> and if yes, you can run the test
<@mst> and if no, skip all
<@mst> but still run the test in cases where we can do

I hoped there would be a sensible value available in %Config, but there isn't.

-----Original Message-----
From: Ed J via RT
Yes, this happens on some systems.
The problem has not yet been fixed - see

https://rt.cpan.org/Ticket/Display.html?id=65703

for a fuller discussion. I think there are some workarounds mentioned in
there if you're actually wanting to run Inline taint-activated.
If you're not wanting to run Inline with taint turned on, just "force"
install the module.

Note that this failure simply signifies that you can't run Inline under
taint. It doesn't impact on any other aspects of the module.

Cheers,
Rob

Sun Jun 08 23:59:42 2014: Request 96291 was acted upon.
Transaction: Correspondence added by NERDVANA
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >
I'd like to report that I'm having this same problem on EVERY gentoo system I've tried, each of varying architecture and updated-ness. It worked fine on Linux Mint 15 and 16.

Mon Jun 09 00:02:51 2014: Request 96291 was acted upon.
Transaction: Correspondence added by NERDVANA
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >


Oh, and the perls involved were 5.12.4 and 5.16.3, so it isn't specific to 5.20

Mon Jun 09 01:00:03 2014: Request 96291 was acted upon.
Transaction: Correspondence added by NERDVANA
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >
I have further discovered that it only happens when I run cpan or cpanm as root. When I run "make test" manually as a normal user (with the files chown'd to that user) the test passes.

<URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >
Reason was the logic in Inline.pm untainting PATH disallows any directories writable by that user - for root, that's all of them!

Change proposed is visible on github.

Wed Jun 11 05:52:23 2014: Request 96291 was acted upon.
Transaction: Correspondence added by ETJ
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >
Reason was the logic in Inline.pm untainting PATH disallows any directories writable by that user - for root, that's all of them!

Change proposed is visible on github.

Fri Jun 20 23:56:25 2014: Request 96291 was acted upon.
Transaction: Correspondence added by SISYPHUS
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >


Inline-0.55_01 was released a couple of days ago, partly to see how t/08taint.t fares following the latest round of amendments to the Inline code.

I've just received the first FAIL report for 0.55_01:
http://www.cpantesters.org/cpan/report/a3185cf8-f82f-11e3-919b-572b4803b899

The culprit is, of course, C/t/08taint.t.

What to do wrt this ?

If it's fixable, and we can fix it, then I guess we should do that.
If we can't fix it, then we need to detect in advance that the failure will occur and either SKIP or TODO the remaining 9 tests.

There's a couple of issues with taking the TODO route:

1) The script is actually dying before all tests have been run - so I don't think TODO'ing the remaining tests is going to prevent the script from being reported as a FAIL. (We can probably workaround that by running the remaining tests inside eval{}.)

2) 3 of the tests are warnings_like() from Test::Warn, and it seems that TODO is ignored for them. That being so, we need to work around that shortcoming, too. (I was unable to find a way to make those 3 tests honor TODO - but that doesn't necessarily mean it can't be done.)

However, I think that if there's no chance of Inline being able to run correctly under -T on a particular system, then we are quite entitled to SKIP those tests on that system.

Thoughts ?

Cheers,
Rob

Sat Jun 21 18:47:52 2014: Request 96291 was acted upon.
Transaction: Correspondence added by ETJ
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >


The failure is because on that test system, input PATH:

/srv/smoker/bin:/usr/lib/ccache:/srv/smoker/perl5/perlbrew/bin:/srv/smoker/perl5/perlbrew/perls/perl-5.20.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

is being stripped down to this:

/srv/smoker/bin:/usr/lib/ccache:/srv/smoker/perl5/perlbrew/bin:/srv/smoker/perl5/perlbrew/perls/perl-5.20.0/bin:/usr/bin:/usr/games

These were removed:

/usr/local/bin /bin /usr/local/games

The untainting code, on non-Windows (this system is Linux) removes directories from PATH if they are NOT: absolute, directories, and neither group- nor world- writable.

The "problem" here is that the relevant system has configured /bin to be either group- or world-writable. It therefore gets removed, so chmod (which typically lives in /bin) is unavailable.

The issue we face here is that tainting is designed to deal with two different situations: CGIs, and suid scripts on multi-user systems.

A. For CGIs, there is no point in stripping the PATH, because the entire content of the system is under the control of the admin, and the only threat is web-user input.

B. For suid scripts on multi-user systems, there IS a point to stripping the PATH, because a malicious user could provide a PATH where e.g. a chmod command under their control would be found before the "real" one. However, the "correct" value to set PATH to is probably not by stripping some values out, but by setting it to a known value, eg "/bin:/usr/bin:/usr/local/bin". This might be problematic because that will not always be the correct value for a given system, and would therefore need to be configured on installation, which is not a road Inline has yet needed to go down.

I believe there are two decent ways forward here:
1. document that Inline does not build when used in taint mode (although it can still safely run code) and make it be a fatal error to try to do so;
2. update the PATH-untainting code to being nearly what it was before I changed it, but instead of "-w $_ || -W $_", which I believe was a mistake, since it means "writable by either effective or real uid", make it "-W $_" - "writable by real uid".

I advocate method 2, since it deals effectively with situations A and B (including the real threat in B), and will almost certainly pass on the system that failed the test. The following patch implements it, and all the tests still pass on my Linux system:

diff --git a/Inline.pm b/Inline.pm
index 32868a3..5fced1c 100644
--- a/Inline.pm
+++ b/Inline.pm
@@ -1075,7 +1075,7 @@ sub env_untaint {
join ';', grep {not /^\./ and -d $_
} split /;/, $ENV{PATH}
:
- join ':', grep {/^\// and -d $_ and not ((stat($_))[2] & 0022)
+ join ':', grep {/^\// and -d $_ and not -W $_
} split /:/, $ENV{PATH};

map {($_) = /(.*)/} @INC;

Sat Jun 21 19:22:11 2014: Request 96291 was acted upon.
Transaction: Correspondence added by ETJ
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >


On further reflection, the previous logic and patch is slightly imperfect; a malicious user could include a directory under their control, put in a "chmod" command, then deny themselves write permission, and the directory would still be permitted. Instead, this patch, which replaces the previous one, will strip out directories either writable OR owned by the real uid:

diff --git a/Inline.pm b/Inline.pm
index 32868a3..3b62337 100644
--- a/Inline.pm
+++ b/Inline.pm
@@ -1075,7 +1075,7 @@ sub env_untaint {
join ';', grep {not /^\./ and -d $_
} split /;/, $ENV{PATH}
:
- join ':', grep {/^\// and -d $_ and not ((stat($_))[2] & 0022)
+ join ':', grep {/^\// and -d $_ and not (-W $_ or -O $_)
} split /:/, $ENV{PATH};

map {($_) = /(.*)/} @INC;

Sat Jun 21 22:28:50 2014: Request 96291 was acted upon.
Transaction: Correspondence added by ETJ
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >


On further further reflection, the previous logic is bound to give false positives when running as root, which means installing as root using CPAN (a reasonable thing to do) will fail tests, which is where we came in. Instead, this patch (replacing previous two) actually tests $< != $>, which revealed a couple of quirks, hence a couple of extra changes:

diff --git a/C/t/08taint.t b/C/t/08taint.t
index 9effb6f..357b551 100644
--- a/C/t/08taint.t
+++ b/C/t/08taint.t
@@ -21,13 +21,15 @@ BEGIN {
use warnings;
use strict;
use Test::More tests => 10;
-
use Test::Warn;

# Suppress "Set up gcc environment ..." warning.
# (Affects ActivePerl only.)
$ENV{ACTIVEPERL_CONFIG_SILENT} = 1;

+# deal with running as root - actually simulate running as setuid program
+$< = 1; # ignore failure
+
my $w1 = 'Blindly untainting tainted fields in %ENV';
my $w2 = 'Blindly untainting Inline configuration file information';
my $w3 = 'Blindly untainting tainted fields in Inline object';
diff --git a/Inline.pm b/Inline.pm
index 32868a3..83f7035 100644
--- a/Inline.pm
+++ b/Inline.pm
@@ -846,6 +846,8 @@ sub create_config_file {
next;
}
next if $mod =~ /^(MakeMaker|denter|messages)$/;
+ # @INC is made safe by -T disallowing PERL5LIB et al
+ ($mod) = $mod =~ /(.*)/;
eval "require Inline::$mod;";
warn($@), next if $@;
eval "\$register=&Inline::${mod}::register";
@@ -1075,11 +1077,16 @@ sub env_untaint {
join ';', grep {not /^\./ and -d $_
} split /;/, $ENV{PATH}
:
- join ':', grep {/^\// and -d $_ and not ((stat($_))[2] & 0022)
+ join ':', grep {/^\// and -d $_ and $< == $> ? 1 : not (-W $_ or -O $_)
} split /:/, $ENV{PATH};

map {($_) = /(.*)/} @INC;

+ # list cherry-picked from `perldoc perlrun`
+ delete @ENV{qw(PERL5OPT PERL5SHELL PERL_ROOT IFS CDPATH ENV BASH_ENV)};
+ $ENV{SHELL} = '/bin/sh' if -x '/bin/sh';
+
+ $< = $> if $< != $>; # so child processes retain euid - ignore failure
}
#==============================================================================
# Blindly untaint tainted fields in Inline object.

Sun Jun 22 07:05:25 2014: Request 96291 was acted upon.
Transaction: Correspondence added by SISYPHUS
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >
Thanks Ed - checks out ok here, so I've applied the patches and released Inline-0.55_02.

On Windows both $< and $> are 0 and cannot be altered as seteuid() and setruid() are not implemented.
In C/t/08taint.t I therefore had to make the setting of $< to 1 conditional upon OS not being Windows (to avoid fatal error on that OS).

With that in place, everything tests fine for me on Windows, Cygwin, Ubuntu and Debian Wheezy.
Now we sit back and see what the smokers/testers throw at us :-)

Cheers,
Rob

Tue Jun 24 05:01:44 2014: Request 96291 was acted upon.
Transaction: Correspondence added by SISYPHUS
Queue: Inline
Subject: t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: ETJ-***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >



Fixed as of 0.55_02