>From: "Stas Bekman"
> Tulan W. Hu wrote:
> >>From: "Stas Bekman"
> >>Tulan W. Hu wrote:
> >>
> >>>-- Original Message -----
> >>>From: "Stas Bekman"
> >>>
> >>>
> >>>>Please take a look at Apache-Test/lib/Apache/TestConfig.pm
> >>>>
> >>>>sub open_cmd {
> >>>....
> >>>>it calls untaint_path($ENV{PATH}) in the same file. Please take a look
> >>>>at that function and see if you can fix it.
> >>>>
> >>>>If you don't figure out, please apply the patch below and post the
> >>>>console output at the server startup. Thanks.
> >>>
> >>>Thank you for your advise. I do have a long list in the $ENV{PATH}.
> >>
> >>If you don't show us what you have in there, we can't fix it. So it's
the
> >>best that you do (feel free to email me offlist if you think that the
> >>information in that path is somewhat sensitive. untaint_path is supposed
> >>to deal with any path. I guess you have a new case we didn't encounter
> >> yet.
> >
> > I have carefully checked my PATH. I found out the problem is my PATH
> > contains "/usr/bin:.:/usr/java/bin:$OLDPATH:/usr/local/bin.....".
> > where the $OLDPATH was not defined.
> > This became an empty spot, "$path::$other_long_pathes", and caused the
> > security error.
> > You may want to add the case in the untaint_path.
>
> Right. This patch should handle this case. Please confirm that it does.
***** the patch works ok. (tried both perl 5.8.5 and perl 5.8.6)
> Thanks.
>
> Index: Apache-Test/lib/Apache/TestConfig.pm
> ===================================================================
> --- Apache-Test/lib/Apache/TestConfig.pm (revision 148914)
> +++ Apache-Test/lib/Apache/TestConfig.pm (working copy)
> @@ -1699,9 +1699,8 @@
> ($path) = ( $path =~ /(.*)/ );
> # win32 uses ';' for a path separator, assume others use ':'
> my $sep = WIN32 ? ';' : ':';
> - # -T disallows relative directories in the PATH
> - $path = join $sep, grep !/^\./, split /$sep/, $path;
> - return $path;
> + # -T disallows relative and empty directories in the PATH
> + return join $sep, grep !/^(\.|$)/, split /$sep/, $path;
> }
>
> sub pop_dir {
Attached error_log is from
$ t/TEST -clean
$ t/TEST -verbose protocol/pseudo_http.t
and Registryerrlog.txt is from the ModPerl-Registry dir
$ t/TEST -clean
$ t/TEST -verbose closure.t
6-ok on the output.
I guess they are ok since the "harmless" messages are in the log files.
error_log
Description: Binary data
[Fri Jan 28 17:21:29 2005] [notice] Apache/2.0.52 (Unix) mod_perl/1.999.21 Perl/v5.8.6 configured -- resuming normal operations [Fri Jan 28 17:21:29 2005] [info] Server built: Jan 26 2005 08:09:45 [Fri Jan 28 17:21:29 2005] [debug] prefork.c(955): AcceptMutex: pthread (default: pthread) *** The following warn entry is expected and harmless *** Variable "$counter" will not stay shared at /s5/twh/papache/mod_perl-2.0.0-RC4/ModPerl-Registry/t/cgi-bin/closure.pl line 21. *** The following warn entry is expected and harmless *** Variable "$counter" will not stay shared at /s5/twh/papache/mod_perl-2.0.0-RC4/ModPerl-Registry/t/cgi-bin/closure.pl line 21. *** The following warn entry is expected and harmless *** Variable "$counter" will not stay shared at /s5/twh/papache/mod_perl-2.0.0-RC4/ModPerl-Registry/t/cgi-bin/closure.pl line 21. *** The following warn entry is expected and harmless *** Variable "$counter" will not stay shared at /s5/twh/papache/mod_perl-2.0.0-RC4/ModPerl-Registry/t/cgi-bin/closure.pl line 21. *** The following warn entry is expected and harmless *** Variable "$counter" will not stay shared at /s5/twh/papache/mod_perl-2.0.0-RC4/ModPerl-Registry/t/cgi-bin/closure.pl line 21. *** The following warn entry is expected and harmless *** Variable "$counter" will not stay shared at /s5/twh/papache/mod_perl-2.0.0-RC4/ModPerl-Registry/t/cgi-bin/closure.pl line 21. Subroutine counter redefined at /s5/twh/papache/mod_perl-2.0.0-RC4/ModPerl-Registry/t/cgi-bin/closure.pl line 19. *** The following warn entry is expected and harmless *** Variable "$counter" will not stay shared at /s5/twh/papache/mod_perl-2.0.0-RC4/ModPerl-Registry/t/cgi-bin/closure.pl line 21. [Fri Jan 28 17:21:35 2005] [info] removed PID file /s5/twh/papache/mod_perl-2.0.0-RC4/ModPerl-Registry/t/logs/httpd.pid (pid=15121) [Fri Jan 28 17:21:35 2005] [notice] caught SIGTERM, shutting down
