> From: "Stas Bekman"
> Tulan W. Hu wrote:
> > -- Original Message -----
> > From: "Stas Bekman"
> >
> >>Please take a look at Apache-Test/lib/Apache/TestConfig.pm
> >>
> >>sub open_cmd {
> >
> > ....
> >
> >>it calls untaint_path($ENV{PATH}) in the same file. Please take a look
at
> >>that function and see if you can fix it.
> >>
> >>If you don't figure out, please apply the patch below and post the
console
> >>output at the server startup. Thanks.
> >
> >
> > Thank you for your advise. I do have a long list in the $ENV{PATH}.
>
> If you don't show us what you have in there, we can't fix it. So it's the
> best that you do (feel free to email me offlist if you think that the
> information in that path is somewhat sensitive. untaint_path is supposed
> to deal with any path. I guess you have a new case we didn't encounter
yet.
I have carefully checked my PATH. I found out the problem is my PATH
contains "/usr/bin:.:/usr/java/bin:$OLDPATH:/usr/local/bin.....".
where the $OLDPATH was not defined.
This became an empty spot, "$path::$other_long_pathes", and caused the
security error.
You may want to add the case in the untaint_path.
>
> It's actually two tests.
>
> Please follow the intructions in this section:
>
http://perl.apache.org/docs/2.0/user/help/help.html#_C_make_test___Failures
> and we will look at it.
Here are the output on errors:
....
ok 4
# send: foobar
# testing : banner
# expected: Welcome to TestProtocol::pseudo_http
# received: Access Denied
# Failed test 5 in t/protocol/pseudo_http.t at line 57
not ok 5
# testing : date
# Failed test 6 in t/protocol/pseudo_http.t at line 63 fail #4
# expected: Available commands: date quit
# received:
not ok 6
# Failed test 7 in t/protocol/pseudo_http.t at line 63 fail #5
# send: date
# testing : quit
# expected: (?-xism:The time is:)
# Failed test 8 in t/protocol/pseudo_http.t at line 57 fail #2
# received:
not ok 7
# send: quit
# testing : end of transmission
# expected: Goodbye
# received:
not ok 8
ok 9
....
> Also you may want to get Apache's mod_deflate installed so you get less
> tests skipped and more tested.
ok, i'll add it to apache next time i build it.
