Question

I recently enabled Basic Authentication for a TWiki and now I have encountered a peculiar server error. In fact, I don’t know for sure if the error is a result of these changes as I had not visited the particular page generating the error before.

Whenever someone visits bin/view/TWiki/IncludeTopicsAndWebPages (just this page) the client receives the following error:

Insecure dependency in connect while running with -T switch at /usr/local/twiki/lib/TWiki/Net.pm line 103.

Line 103 of Net.pm is the first line of the following code structure (which was contained in various other code structures, none of which I understand. I have no idea how to write Perl. in fact, I don’t even know if the code is Perl and I do not understand what Net.pm is doing or why it is called so I hope this is actually what is causing the ‘insecure dependency’)

103    unless( connect( *SOCK, $paddr ) ) {
104        &TWiki::writeWarning( "TWiki::Net::getUrl connect: $!" );
105        return "content-type: text/plain\n\nERROR: TWiki::Net::getUrlconnect: $!. \n$req";
106    }

My httpd.conf file is rather large (1038 lines) as we are running several other intranet apps on it, but the directives that relate to TWiki are as follows:

# Twiki stuff - added by Ovi on Dec 09, 2004

 ScriptAlias /twiki/bin/ "/usr/local/twiki/bin/"
 Alias /twiki/ "/usr/local/twiki/"
 <Directory "/usr/local/twiki/bin">
    Options +ExecCGI
    SetHandler cgi-script
    Allow from all
# added by Nicholas Engelking on Feb 23, 2005
    AllowOverride All
</Directory>
 <Directory "/usr/local/twiki/pub">
   Options FollowSymLinks +Includes
    AllowOverride None
    Allow from all
 </Directory>
 <Directory "/usr/local/twiki/data">
    deny from all
 </Directory>
 <Directory "/usr/local/twiki/templates">
    deny from all
 </Directory>
# End of Twiki changes

There aren’t actually any directives relating to the lib folder and so (I’m guessing) the error may be a result of some inherited directive higher up, in which case it probably cannot be changed (perhaps overwritten? I don’t really know how Perl app permissions work). Therefore a change to the code to make it “work” would be preferable. (Although any other fix would be welcome).

The only other thing I can think of is that the error might be originating in the view script. There is an .htaccess file in the bin directory. I have the view file setup as follows:

<Files "view">
       allow from all
</Files>

My viewauth script is authenticated but I have no TWikiAccessControl in my TWiki web.

Any help is appreciated. I have a feeling I’m in a bit over my head with script errors here…

Environment

-- NicholasEngelking - 24 Feb 2005

Answer

Nicholas, an insecure dependency occurs when Perl believes you are using "tainted" data from an "untrusted source" i.e. one that may have been compromised, such as user-entered data. It's all rather paranoid. It is highly unlikely to be anything to do with your Apache config. It is more likely to be something wierd with the operating - system - specific - bits of the Perl you are using. The chances are high that there is some link or include on that page that is triggering this warning.

I would suggest you try adding the following immediately before line 103 in Net.pm:

$paddr =~ m/^(.*)$/; $paddr = $1;

If that fails, it should be safe to change the first line of the "view" script to -w instead of -wT (this switches off taint checks throughout the code).

-- CrawfordCurrie - 01 Mar 2005

See also ApacheUpgradeTaintError

-- PeterThoeny - 01 Mar 2005