Bug: Register Fails with Insecure Dependency on Cygwin

I was registering a new user within TWiki. I enabled basic authentication before.

The error information from the browser:

Software error: Insecure dependency in connect while running with -T switch at /usr/lib/perl5/5.8.5/cygwin-thread-multi-64int/IO/Socket.pm line 114.

For help, please send mail to the webmaster (admin@localhost), giving this error message and the time and date of the error.

The information in apache error log

[Wed Oct 13 15:29:34 2004] [error] [client xx.xx.xx.xx] [Wed Oct 13 21:29:34 2004] c:\twiki\bin\register: Insecure dependency in connect while running with -T switch at /usr/lib/perl5/5.8.5/cygwin-thread-multi-64int/IO/Socket.pm line 114.

[Wed Oct 13 15:32:07 2004] [notice] cannot use a full URL in a 401 ErrorDocument directive --- ignoring!

The new user name can be seen in data/.htpasswd after this failed registration, but invisible in users list in TWiki.

Test the environment for TWiki
Please read the TWikiInstallationNotes for more information on TWiki installation. 
Environment variables:
COMSPEC C:\WINNT\system32\cmd.exe 
DOCUMENT_ROOT c:/easyphp/www 
GATEWAY_INTERFACE CGI/1.1 
HOME /twiki 
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* 
HTTP_ACCEPT_ENCODING gzip, deflate 
HTTP_ACCEPT_LANGUAGE zh-cn,en-us;q=0.5 
HTTP_CONNECTION Keep-Alive 
HTTP_COOKIE sboard_settings[member_id]=0; sboard_settings[prevvisit]=1095943866; sboard_settings[current_view]=threaded; phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22d9725c9cef2a830ea7bac94e9f14391f%22%3Bs%3A6%3A%22userid%22%3Bi%3A64%3B%7D; usercookie[username]=liao; usercookie[password]=d9725c9cef2a830ea7bac94e9f14391f; sessioncookie=5fef1fb897fb5ad0a35f65200ae75da9 
HTTP_HOST xxx.net 
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 
HTTP_WEFERER AALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO 
LOGNAME system 
PATH /c/Perl/bin:/c/Program Files/Microsoft Visual Studio/Common/Tools:/c/Program Files/Microsoft Visual Studio/Common/Msdev98/BIN:/c/Program Files/Microsoft Visual Studio/DF98/BIN:/c/Program Files/Microsoft Visual Studio/VC98/BIN:/c/texmf/miktex/bin:/c/WINNT/system32:/c/WINNT:/c/WINNT/System32/Wbem:/c/PROGRA~1/ULTRAE~1:.
QUERY_STRING  
RCSINIT -x,v/ 
REMOTE_ADDR xx.xx.xx.xx 
REMOTE_PORT 1315 
REQUEST_METHOD GET 
REQUEST_URI /twiki/bin/testenv 
SCRIPT_FILENAME c:/twiki/bin/testenv 
SCRIPT_NAME /twiki/bin/testenv 
SERVER_ADDR xx.xx.xx.xx 
SERVER_ADMIN admin@localhost 
SERVER_NAME xxx.net 
SERVER_PORT 80 
SERVER_PROTOCOL HTTP/1.1 
SERVER_SIGNATURE Apache/1.3.27 Server at xxx.net Port 80 
SERVER_SOFTWARE Apache/1.3.27 (Win32) PHP/4.3.3 
SYSTEMROOT C:\WINNT 
TEMP /c/temp 
TERM cygwin 
TMP /c/temp 
TZ GMT0BST 
WINDIR C:\WINNT 

CGI Setup:
Operating system: Windows (cygwin) 
Perl version: 5.8.5-3 (Cygwin) 
@INC library path: ../lib
/usr/lib/perl5/5.8.5/cygwin-thread-multi-64int
/usr/lib/perl5/5.8.5
/usr/lib/perl5/site_perl/5.8.5/cygwin-thread-multi-64int
/usr/lib/perl5/site_perl/5.8.5
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.5/cygwin-thread-multi-64int
/usr/lib/perl5/vendor_perl/5.8.5
/usr/lib/perl5/vendor_perl
. 
 Note: This is the Perl library path, used to load TWiki modules, third-party modules used by some plugins, and Perl built-in modules. 
TWiki module in @INC path:  
 OK, TWiki.pm found (TWiki version: 01 Sep 2004 $Rev: 1742 $) 
Required Perl modules:  
 CGI (3.05) 
 CGI::Carp (1.28) 
 File::Copy (2.08) 
 File::Spec (0.87) 
 FileHandle (2.01) 
 Digest::SHA1 (2.10) 
 MIME::Base64 (3.01) 
 Net::SMTP (2.29) 
Optional Perl modules:  
 Algorithm::Diff (1.02) 
 MIME::Base64 (3.01) 
 POSIX (1.08) 
 Encode (2.01) 
 Unicode::MapUTF8 (1.09) 
 Unicode::Map (0.112) 
 Unicode::Map8 (0.12) 
 Jcode (0.87) 
 Digest::MD5 (2.33) 
PATH_INFO:  
 Note: For a URL such as http://xxx.net/twiki/bin/testenv/foo/bar, the correct PATH_INFO is /foo/bar, without any prefixed path components. Test this now - particularly if you are using mod_perl, Apache or IIS, or are using a web hosting provider. The page resulting from the test link should have a PATH_INFO of /foo/bar.  
mod_perl: Not used for this script (mod_perl not loaded into Apache)  
User: system  
 Note: Your CGI scripts are executing as this user. 
 Warning: Since your CGI script is not running as user nobody, you need to change the locks in the *,v RCS files of the TWiki distribution from nobody to system. Otherwise, changes to topics will not be logged by RCS.  
 Fix: If needed, relock all the rcs files to user system 
Group(s): administrators administrators root 

Test of TWiki.cfg Configuration:
$defaultUrlHost: http://xxx.net 
 Note: This must match the protocol and host part (with optional port number) of the TWiki URL. 
$scriptUrlPath: /twiki/bin 
 Note: This must match the 'cgi-bin' part of the URL used to access the TWiki cgi-bin directory. 
$pubUrlPath: /twiki/pub 
 Note: This must be the URL of the public directory.This is not set correctly if the /twiki/pub/wikiHome.gif image below is broken:
 
$pubDir: /twiki/pub 
 Note: This is the public directory, as seen from the file system. It must correspond to $pubUrlPath. 
$templateDir: /twiki/templates 
 Note: This is the TWiki template directory, as seen from the file system.  
 Warning: Security issue: This directory should not be writable by the system user. 
$dataDir: /twiki/data 
 Note: This is the data directory where TWiki stores all topics. 
$mailProgram: /usr/sbin/sendmail -t -oi -oeq 
 Note: This is not typically used on Windows - the Perl Net::SMTP module is used instead. 
$rcsDir: c:/cygwin/bin 
 Note: This is the directory where RCS is located. 
RCS Version: 5.7  (Cygwin package rcs-5.7-3) 
 Note: This is the version of RCS which will be used. 
$lsCmd: /bin/ls 
 Note: This is the file list program TWiki uses to list topics. 
$egrepCmd: /bin/grep -E 
 Note: This is a program TWiki uses for search. 
$fgrepCmd: /bin/grep -F 
 Note: This is a program TWiki uses for search. 
$safeEnvPath: /usr/bin 
 Note: This is used to initialise the PATH variable, and is used to run the 'diff' program used by RCS, as well as to run shell programs such as cmd.exe or Cygwin's 'bash'. 
Since you are using Cygwin Perl, 'bash' will be used without any special setup. 
 

Path and Shell Environment
Original PATH: /c/Perl/bin:/c/Program Files/Microsoft Visual Studio/Common/Tools:/c/Program Files/Microsoft Visual Studio/Common/Msdev98/BIN:/c/Program Files/Microsoft Visual Studio/DF98/BIN:/c/Program Files/Microsoft Visual Studio/VC98/BIN:/c/texmf/miktex/bin:/c/WINNT/system32:/c/WINNT:/c/WINNT/System32/Wbem:/c/PROGRA~1/ULTRAE~1:/c/Program Files/Symantec/pcAnywhere/:. 
 Note: This is the PATH value passed in from the web server to this script - it is reset by TWiki scripts to the PATH below, and is provided here for comparison purposes only.  
Current PATH: /usr/bin 
 Note: This is the actual PATH setting that will be used by Perl to run programs. It is normally identical to $safeEnvPath, unless that variable is empty.  
diff: GNU diff was found on the PATH - this is the recommended diff tool. 
 Note: The 'diff' command is used by RCS to compare files.  

User Authentication
htpasswd Format Family: htpasswd 
htpasswd Encoding: sha1 
htpasswd Filename: /twiki/data/.htpasswd 
 Note: only some combinations of Format, Encoding and Filename are valid, and fewer are tested 
 

Test case

each time when I want to register a new user

Environment

-- ChunhuaLiao - 13 Oct 2004

Follow up

This is also reported in Support.RegisterFailureInsecureDependency.

It looks like Cygwin is more strict with taint checking. How to test and fix: In module NetDotPm, sub sendEmail, inside if( $useNetSmtp ), filter $from and @to to keep only safe characters and untaint.

-- PeterThoeny - 14 Oct 2004

Dear Mr. Peter, Actually, I have another instance of TWiki running on gentoo Linux and shows the same problem. Both TWiki worked fine in default mode after fresh installation. Both of them could send registration emails correctly and timely. But after I enabled user authetication with some chinese locale under the instructions of the document. They both shows the same problem now.

I posted the detailed information at the trail of the original question: http://twiki.org/cgi-bin/view/Support/RegisterFailureInsecureDependency

-- ChunhuaLiao - 14 Oct 2004

This came up before at Support.ServerErrorDuringRegistration and Support.ApacheUpgradeTaintError - it is taint related, and probably due to changes in CPAN:Net::SMTP. There seem to be various workarounds, including turning off use of Net::SMTP, and editing TWikiPreferences, but the best solution would be to fix the taint code in NetDotPm and send in a patch.

-- RichardDonkin - 14 Oct 2004

Thank you very much, I set SMTPMAILHOST to NULL in TWikiPreferences and it works now!

-- ChunhuaLiao - 14 Oct 2004

I just want to add some comments about Twiki running on cygwin. There is no sendmail installed in cygwin by default and there will be an error if we let TWiki to use it instead of perl Net::SMTP. Fortunately, there is a simpler substitute for it. It is ssmtp. We need configure it manually by command: ssmtp-config. This command will accetp smtp server name and other necessary parameters and finally create a soft link named sendmail to ssmtp.

-- ChunhuaLiao - 14 Oct 2004

Fix record

Seems like the fix is to properly untaint the value received from SMTPMAILHOST.

As for ssmtp: feel free to write up some notes on this and link them to WindowsInstallCookbook, but since Windows users need to install some other CPAN modules and the Net::* modules are very useful for CPAN installation itself, I think Net::SMTP is not a bad choice.

-- RichardDonkin - 21 Oct 2004