Tags:
create new tag
view all tags

SID-01980: Software error accessing to configure script.

Status: Answered Answered TWiki version: 6.0.0 Perl version: 5.12.2
Category: CategoryInstallation Server OS: 64bit Fedora Last update: 8 years ago

I'm finishing my installation of twiki 6. I've modified several parameters at configure without any problem.

Now I was going to check installed plugins to see which other plugins I should install and so.

But when I try to access to configure, I get this:

TWiki Administrator Login Software error:

CGI::param called in list context from package TWiki::Configure::Valuer line 95, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/local/lib/perl5/site_perl/5.12.2/CGI.pm line 423, <DATA> line 1.

I think last modified parameter was the one linked to remove expired sessions and so (According to documentation, I've set a negative number and I've that task through a crontab line).

After that I've updated/installed some perl CPAN modules, following the Required and Optional CPAN modules at http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide

What can I do? Is that line 95 the one at LocalSite.cfg (that's "{RCS}{ExtOption}", currently empty)?

-- Dani Molina - 2014-10-10

Discussion and Answer

This is strange.

As far as I can tell, calling CGI::param in list context is (and has always been) valid behaviour, and in various versions of Perl I could not spot a warning in CGI.pm or its documentation for the headline. Line 95 of Valuer.pm does not fetch the value or values of a single named parameter, it does not pass a parameter name at all and should therefore receive a list of parameter names.

Is there any chance that you have a local installation of CGI.pm ? Line 423 of this module apparently issues the warning, in current CGI.pm (version 3.63, July 2009) this is a comment line before sub param.

-- Harald Jörg - 2014-10-11

When you say "local installation of CGI.pm" do you mean at our server? Yes, we have CGI CPAN module (version 4.07) installed on it. We are using perl 5.12.2

What can I/we check?

I was planning to upgrade twiki to 6.0.1 (I realized last friday than 6.0.0 was not the last version) before continuing. But by your words it doesn't seem to be the solution...

-- Dani Molina - 2014-10-13

I've installed twiki on another computer (different Linux, CentOS 6.5; different version of perl, 5.10.1, different installation directories of twiki) and after a few basic modifications on configure, I got a very similar (maybe the same, I'm not sure) error there:

CGI::param called in list context from package TWiki::Configure::Valuer line 108, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/local/share/perl5/CGI.pm line 425, <DATA> line 1.

What can we do?

Thinking about what I do equal in both computers, it's the way to install perl modules (most of them, via install command inside a perl shell), so, although perl version is different, I've seen the version of several perl modules twiki need is the same. Is it possible that there would be any bug on any perl module, CGI or other, or some incompatibility with twiki code? How could we check it?

I'm using CGI module version 4.07 (last one) on both computers.

Please, help me, I'm in a big mess,

-- Dani Molina - 2014-10-14

I guess that you need to figure out which module / part of your TWiki codebase issues this warning. In my installations, neither TWiki nor CGI.pm nor any of its sub-modules contain the string for this warning. That's why I asked, and thanks for providing the version you are using, though this doesn't provide a final clue.

Right now there is a recent mail thread which shows the same error outside of TWiki: http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1267701.html

So for a start, you would not need to install CGI.pm at all on any Linux system which contains a perl installation prior to Perl 5.20, because in "older" Perl packages CGI.pm was part of the Perl core. You could verif whether there's a bug introduced in the "current" CGI package by the following procedure:

  1. Check whether your Perl core already has a CGI.pm. The installation directory depends on the distribution, and I know nothing about Fedora or CentOS; Ubuntu has it in /usr/share/perl/5.18/CGI.pm (should be some directory without /local/ in the path on any system).
  2. If yes: Rename your local /usr/local/lib/perl5/site_perl/5.12.2/CGI.pm (Fedora) or /usr/local/share/perl5/CGI.pm (CentOS), and the directories /usr/local/lib/perl5/site_perl/5.12.2/CGI (Fedora) or /usr/local/share/perl5/CGI (CentOS).
  3. See if the error persists. If you are using a persistent perl interpreter like FastCGI or mod_perl, you'll need to restart the web server.
  4. If the error is still there, then I'm out of wit. You could grep for 'this can lead to vulnerabilities' or some other substring of the error text to find out where it comes from. It is strange that in your two systems it is line 423 on Fedora and line 425 on CentOS, but neither looks like a print or warn in CGI.pm. Perl can cheat about the origin of a warning by propagating it from a called subroutine, but there's just a call to CGI::Util::rearrange, which doesn't warn or carp or die.
  5. If the error is gone, then I would advise to keep CPAN's CGI out of the way until the bug is fixed.

-- Harald Jörg - 2014-10-14

Hello,

unfortunately it doesn' t work here. I renamed directory CGI and CGI.pm Restart server But after configure login and try to download extensions the error occurs: CGI::param called in list context from package TWiki::Configure::UIs::PromptPASS line 50, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/lib/perl5/site_perl/5.18.1/CGI.pm line 425, <DATA> line 1.

I`m using Opensuse 13.1 with Perl 5.18 Apache 2.4 Perl CGI 4.07

Any Idea?

Regards Poul

-- Poul Poulsen - 2014-10-15

Debian lists a bug with the same message: http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg372609.html

This could be a security check by newer Perl versions. I looked at the TWiki configure code. Indeed, multiple parameters of the same name are handled as a single parameter. Try this patch:

lib/TWiki/Configure/UIs/PromptPASS.pm
===================================================================
--- TWiki/Configure/UIs/PromptPASS.pm   (revision 28198)
+++ TWiki/Configure/UIs/PromptPASS.pm   (working copy)
@@ -47,8 +47,11 @@
     # Pass URL params through, except those below
     foreach my $param ( $TWiki::query->param ) {
         next if ( $nonos{$param} );
-        $output .= $this->hidden( $param, $TWiki::query->param($param) );
-        $output .= "\n";
+        my @values = $TWiki::query->param($param);
+        foreach my $value ( @values ) {
+            $output .= $this->hidden( $param, $value );
+            $output .= "\n";
+        }
     }

Let us know if this fixes the issue.

-- Peter Thoeny - 2014-10-15

Hello, unfortunately not frown

Error message after clicking "find new extensions".

CGI::param called in list context from package TWiki::Configure::UIs::PromptPASS line 50, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/lib/perl5/site_perl/5.18.1/CGI.pm line 425, <DATA> line 1.

Hope it helps Poul

-- Poul Poulsen - 2014-10-16

OK, there are two more places. Here are all three files that you can patch:

Index: UIs/PromptPASS.pm
===================================================================
--- UIs/PromptPASS.pm   (revision 28198)
+++ UIs/PromptPASS.pm   (working copy)
@@ -47,8 +47,11 @@
     # Pass URL params through, except those below
     foreach my $param ( $TWiki::query->param ) {
         next if ( $nonos{$param} );
-        $output .= $this->hidden( $param, $TWiki::query->param($param) );
-        $output .= "\n";
+        my @values = $TWiki::query->param($param);
+        foreach my $value ( @values ) {
+            $output .= $this->hidden( $param, $value );
+            $output .= "\n";
+        }
     }
 
     # and add a few more
Index: UIs/SETPASS.pm
===================================================================
--- UIs/SETPASS.pm   (revision 28198)
+++ UIs/SETPASS.pm   (working copy)
@@ -47,8 +47,11 @@
     # Pass URL params through, except those below
     foreach my $param ( $TWiki::query->param ) {
         next if ($nonos{$param});
-        $output .= $this->hidden( $param, $TWiki::query->param( $param ));
-        $output .= "\n";
+        my @values = $TWiki::query->param($param);
+        foreach my $value ( @values ) {
+            $output .= $this->hidden( $param, $value );
+            $output .= "\n";
+        }
     }
 
     # and add a few more
Index: UIs/AUTH.pm
===================================================================
--- UIs/AUTH.pm   (revision 28198)
+++ UIs/AUTH.pm   (working copy)
@@ -47,8 +47,11 @@
     # Pass URL params through, except those below
     foreach my $param ( $TWiki::query->param ) {
         next if ($nonos{$param});
-        $output .= $this->hidden( $param, $TWiki::query->param( $param ));
-        $output .= "\n";
+        my @values = $TWiki::query->param($param);
+        foreach my $value ( @values ) {
+            $output .= $this->hidden( $param, $value );
+            $output .= "\n";
+        }
     }
 
     $output .= CGI::hidden('newCfgP', $this->{newCfgP});

-- Peter Thoeny - 2014-10-16

Hello,

good news!

Patching all three files in conjunction with renaming cgi.pm and the directory cgi inside perl_sites works. Configure runs now. I will check, if errors occur, when i use twiki (create first page ans so on).

Regards Poul

-- Poul Poulsen - 2014-10-17

Hi again, and thank you in advance for your time, Harald & Peter,

After renaming CGI.pm and CGI directories inside my perl installation and restarting web server, whole twiki stopped working (Internal Server Error) and couldn't access to configure (Could not load CGI::Carp. Please install this module before continuing).

I'm also in parallel fixing another issue (that's why I didn't answer last days). I saw twiki was using perl 5.12 but it had no mod_perl on it, so web server and twiki are using mod_perl 5.10 (from the old system's installation of perl). I'm in process of that.

Applying the patch to three foreach, I still get this error when clicking Next button inside configure:

Software error: CGI::param called in list context from package TWiki::Configure::Valuer line 108, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/local/lib/perl5/site_perl/5.12.2/CGI.pm line 425, <DATA> line 1.

-- Dani Molina - 2014-10-17

OK, thanks Dani, please apply this patch too:

Index: TWiki/Configure/Valuer.pm
===================================================================
--- TWiki/Configure/Valuer.pm   (revision 28280)
+++ TWiki/Configure/Valuer.pm   (working copy)
@@ -95,14 +95,17 @@
     foreach $param ( $query->param ) {
         # the - (and therefore the ' and ") is required for languages
         # e.g. {Languages}{'zh-cn'}.
-        next unless $param =~ /^TYPEOF:((?:\{[-\w'"]+})*)/;
+        next unless $param =~ /^TYPEOF:((?:\{[-:\w'"]+})*)/;
         my $keys = $1;
         # The value of TYPEOF: is the type name
         my $typename = $query->param( $param );
         $typename =~ /(\w+)/; $typename = $1; # check and untaint
         my $type = TWiki::Configure::Type::load($typename);
-   my $newval;
-        if( $type->{NeedsQuery} ) {
+        my $newval = '';
+        if( $typename =~ m/GROUP/ ) {
+            my @values = $query->param($keys);
+            $newval = $type->string2value(@values);
+        } elsif( $type->{NeedsQuery} ) {
             $newval = $type->string2value($query, $keys);
         } else {
             $newval = $type->string2value($query->param( $keys ));

-- Peter Thoeny - 2014-10-17

It didn't work. Now I get:

CGI::param called in list context from package TWiki::Configure::Valuer line 90, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/local/lib/perl5/site_perl/5.12.2/CGI.pm line 425, <DATA> line 1.

-- Dani Molina - 2014-10-20

Sorry, no, I checked old twiki (v4). The error on twiki 6.0.0 is

CGI::param called in list context from package TWiki::Configure::Valuer line 120, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/local/lib/perl5/site_perl/5.12.2/CGI.pm line 425, <DATA> line 1

-- Dani Molina - 2014-10-20

Finally, I got it: The new warning has been introduced in CGI.pm with CGI version 4.05, motivated by this blog post. I guess you've grabbed your version 4.07 directly from github or some other "very current" source since on CPAN there's still CGI version 4.04: http://search.cpan.org/~leejo/CGI/. By the way: The topic of the blog post is not at all a "New Class of Vulnerability" as the blog post claims, it is an ancient pitfall of CGI.pm (see e.g. http://seclists.org/vulnwatch/2006/q4/6) that web programmers should be aware of: it has always been documented behaviour.

There are three ways to get around the issue:

  1. Install CGI version 4.04 from CPAN.
  2. Grab CGI.pm version 4.09 from github, and add a line use CGI; $CGI::LIST_CONTEXT_WARN = 0; to your .../bin/LocalLib.cfg (or create this file with just that line if it doesn't exist). This assumes that CGI.pm is on your perl path, the use CGI is to make sure that loading CGI.pm happens before you set the variable. I recommend LocalLib.cfg because this file will not be re-written by configure or other TWiki code. According to recent commit messages on github, Lee Johnson is still tweaking the new warning to get it right and to suppress it where it isn't necessary at all.
  3. Fix all the instances in TWiki where CGI::param is called in list context.
The first should be the easiest, the second silences the warning if you want to keep up with bleeding-edge CGI.pm and the third really fixes the issue, but may be a tedious trial-and-error process.

I also dare to flag this as "Answered question", feel free to re-open if you have more questions or remarks.

-- Harald Jörg - 2014-10-22

Hey Harald,

this could be a really stupid question. I tried installing CGI 4.04 using perl -MCPAN -e shell. Afterwards I typed 'install CGI4.04', because I didn't know what else could work. What would be the right way?

-- Carolin Preuss - 2014-10-23

Hi, Harald, thank you very much for all your work,

The second option didn't work to me (updating CGI to 4.09, now available via update command inside a perl shell; and adding the line you say at the beginning of bin/LocalLib.cfg). Then I tried the first one, downgrading CGI to version 4.04, removing all CGI.pm files and CGI directories, and installing the 4.04 dowloaded from cpan.org. Now twiki web pages are working, but I get this error accessing to configure (not saving but in the screen where it shows the settings):

Software error: Use of uninitialized value $_[0] in join or string at /home/hpc/gaia/web/Twiki6/lib/TWiki/Configure/UI.pm line 138.

Maybe it needs other modules to downgrade?

-- Dani Molina - 2014-10-24

Carolin, you can download the CGI tgz for 4.04 version at search.cpan.org and then install using perl Makefile.PL, make, make test and (if everything is ok) make install

-- Dani Molina - 2014-10-24

Harald, maybe I need to undo the changes Peter ask me to do?

-- Dani Molina - 2014-10-24

Carolin: You should just type install CGI because as far as I can see version 4.04 is what CPAN will provide right now (or use Dani's recipe).

Dani: The changes Peter asked to do are fine to solve the problem. Installing 4.04 is more of a workaround to keep the number of local patches low. But apparently you now fell victim to the issue of SID-01981. There's a patch available at TWikibug:Item7578. Ouch. Sorry.

-- Harald Jörg - 2014-10-24

Hahaha, yes, Harald, I found a lot of bugs in 6.0.0 version, but no worries, someone had to find them, I was delighted to help you all (to help me). Applying the patch at item 7578 it works fine. I will postpone updating to 6.0.1 as maybe you plan to include all these patches (or similar) in some future version.

Thank you very much for your appreciated help!

-- Dani Molina - 2014-10-27

On finding many bugs in 6.0.0, we test our releases extensively. It is not possible to anticipate new version of libraries that behave differently from earlier versions. If you run the TWiki-VM you will not experience these issues because you will have a controlled environment. See DownloadTWikiVM.

-- Peter Thoeny - 2014-10-27

The CGI of Perl 5.18.2 behaves differently now. Try setting $CGI::LIST_CONTEXT_WARN = 0 in your twiki/bin/LocalSite.cfg. Let us know if that helps.

Source: https://github.com/leejo/CGI.pm/issues/149

-- Peter Thoeny - 2014-12-15

Question to HaraldJoerg:

What is the best place to add the $CGI::LIST_CONTEXT_WARN = 0? The BEGIN section of TWiki.pm or TWiki/Engine/CGI.pm? Other?

-- Peter Thoeny - 2014-12-15

Some background: The Perl CGI module is unfortunately a moving target. Make sure to use CPAN:CGI >=3.18 to <=4.03. See also SID-02001 and AddCGIpmToTWikiCore.

-- Peter Thoeny - 2015-10-24

A new extension is now available that addresses the CGI issue: CgiContrib - for background see AddCGIpmToTWikiCore.

-- Peter Thoeny - 2015-10-28

      Change status to:
ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
SupportForm
Status Answered
Title Software error accessing to configure script.
SupportCategory CategoryInstallation
TWiki version 6.0.0
Server OS 64bit Fedora
Web server Apache 2.2.8
Perl version 5.12.2
Browser & version Firefox 31.1.0
Edit | Attach | Watch | Print version | History: r24 < r23 < r22 < r21 < r20 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r24 - 2015-10-28 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.