PeculiarServerError < Support

Question

I recently enabled Basic Authentication for a TWiki and now I have encountered a peculiar server error. In fact, I don�t know for sure if the error is a result of these changes as I had not visited the particular page generating the error before.

Whenever someone visits bin/view/TWiki/IncludeTopicsAndWebPages (just this page) the client receives the following error:

Insecure dependency in connect while running with -T switch at /usr/local/twiki/lib/TWiki/Net.pm line 103.

Line 103 of Net.pm is the first line of the following code structure (which was contained in various other code structures, none of which I understand. I have no idea how to write Perl. in fact, I don�t even know if the code is Perl and I do not understand what Net.pm is doing or why it is called so I hope this is actually what is causing the �insecure dependency�)

103    unless( connect( *SOCK, $paddr ) ) {
104        &TWiki::writeWarning( "TWiki::Net::getUrl connect: $!" );
105        return "content-type: text/plain\n\nERROR: TWiki::Net::getUrlconnect: $!. \n$req";
106    }

My httpd.conf file is rather large (1038 lines) as we are running several other intranet apps on it, but the directives that relate to TWiki are as follows:

# Twiki stuff - added by Ovi on Dec 09, 2004

 ScriptAlias /twiki/bin/ "/usr/local/twiki/bin/"
 Alias /twiki/ "/usr/local/twiki/"
 <Directory "/usr/local/twiki/bin">
    Options +ExecCGI
    SetHandler cgi-script
    Allow from all
# added by Nicholas Engelking on Feb 23, 2005
    AllowOverride All
</Directory>
 <Directory "/usr/local/twiki/pub">
   Options FollowSymLinks +Includes
    AllowOverride None
    Allow from all
 </Directory>
 <Directory "/usr/local/twiki/data">
    deny from all
 </Directory>
 <Directory "/usr/local/twiki/templates">
    deny from all
 </Directory>
# End of Twiki changes

There aren�t actually any directives relating to the lib folder and so (I�m guessing) the error may be a result of some inherited directive higher up, in which case it probably cannot be changed (perhaps overwritten? I don�t really know how Perl app permissions work). Therefore a change to the code to make it �work� would be preferable. (Although any other fix would be welcome).

The only other thing I can think of is that the error might be originating in the view script. There is an .htaccess file in the bin directory. I have the view file setup as follows:

<Files "view">
       allow from all
</Files>

My viewauth script is authenticated but I have no TWikiAccessControl in my TWiki web.

Any help is appreciated. I have a feeling I�m in a bit over my head with script errors here�

Environment

TWiki version:	Sep 2nd 2004
TWiki plugins:
Server OS:	Unix (AIX Version 4)
Web server:	Apache 1.3.19
Perl version:
Client OS:	Windows 2000 SP4
Web Browser:	I.E. 6 SP1
Categories:

-- NicholasEngelking - 24 Feb 2005

Answer

Nicholas, an insecure dependency occurs when Perl believes you are using "tainted" data from an "untrusted source" i.e. one that may have been compromised, such as user-entered data. It's all rather paranoid. It is highly unlikely to be anything to do with your Apache config. It is more likely to be something wierd with the operating - system - specific - bits of the Perl you are using. The chances are high that there is some link or include on that page that is triggering this warning.

I would suggest you try adding the following immediately before line 103 in Net.pm:

$paddr =~ m/^(.*)$/; $paddr = $1;

This is a process known as "untainting", it should be safe and it might cure the problem.

If that fails, it should be safe to change the first line of the "view" script to -w instead of -wT (this switches off taint checks throughout the code).

-- CrawfordCurrie - 01 Mar 2005