Bug #19037 for POE: Possible security bug in POE

Tue May 02 16:16:38 2006 sjorsgielen [...] gmail.com - Ticket created

Subject:	Possible security bug in POE
Date:	Tue, 2 May 2006 22:15:54 +0200
To:	bug-poe [...] rt.cpan.org
From:	dazjorz <sjorsgielen [...] gmail.com>

(The test case is also downloadable from http://www.dazjorz.com/testcase.tar.gz) Hi, I think I've found a security bug in POE. The attached file contains two scripts, main.pl and functions.pl. I've stripped out everything that's not needed and made a simple test case. The program first makes a SocketFactory, and in the Accepted event it makes a Wheel::ReadWrite. The incoming data subroutine then calls a 'cmd_quit' subroutine which is supposed to leave a message and close the socket. Because Wheel::ReadWrite has no flush method, and otherwise the "bye-bye" message wouldn't ever reach the user, the cmd_quit sub sets a kill_after_flush in the HEAP (as described in http://poe.perl.org/?POE_Cookbook/Graceful_Wheel_Shutdown). Then in the flushed event, if this variable is set, it closes the socket. After that, it's _supposed_ to destroy the session, and the HEAP with it, and also the kill_after_flush variable. The first time I connect to the server, this completely works. When I type anything, it says 'Bye-bye!' and closes the socket. But the second time I connect, it gives the welcome message and then closes directly after that. After I added a print statement to the flushed event, I saw that the kill_after_flush variable is still set. Log of the telnets: server:~/testcase# telnet localhost 24680 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 001 (Here comes a message, it's removed in this test case) exit 007 Bye-bye! Connection closed by foreign host. server:~/testcase# telnet localhost 24680 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 001 (Here comes a message, it's removed in this test case) Connection closed by foreign host. server:~/testcase# telnet localhost 24680 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 001 (Here comes a message, it's removed in this test case) Connection closed by foreign host. Underwhile, the server runs in another window: server:~/testcase# perl main.pl Running. Shutdown bit set, closing connection. Shutdown bit set, closing connection. Shutdown bit set, closing connection. I'm not sure if this is really a bug in POE, or that I've just done something wrong in my program. DaZjorz

Download testcase.tar.gz
application/x-gzip 1000b

Message body not shown because it is not plain text.

Wed May 03 12:30:55 2006 immute [...] cpan.org - Correspondence added

Yes, you have a problem. :) You set $_[HEAP]->{kill_after_flush}. This sets the kill flag for the WHOLE POE::Session. when the next connection comes in, the flag is already set. This is not a problem with POE::Component::Server::TCP as it makes a separate session for each incoming connection.

Wed May 03 12:30:56 2006 The RT System itself - Status changed from 'new' to 'open'

Wed May 03 12:30:57 2006 immute [...] cpan.org - Status changed from 'open' to 'resolved'

Thu May 04 13:37:53 2006 Guest - Correspondence added

From:

sjorsgielen [...] gmail.com

On Wo. mei. 03 12:30:55 2006, IMMUTE wrote: Show quoted text

> Yes, you have a problem. :) > You set $_[HEAP]->{kill_after_flush}. This sets the kill flag for the > WHOLE POE::Session. when the next connection comes in, the flag is > already set. > This is not a problem with POE::Component::Server::TCP as it makes a > separate session for each incoming connection.

Yes, I saw that while going through the code. I used POE::Component:: Server::TCP before, but then I switched to the SocketFactory. I forgot to make a new session for every new socket, because I thought that would happen automatically.

Thu May 04 13:37:54 2006 The RT System itself - Status changed from 'resolved' to 'open'

Thu May 04 17:01:53 2006 immute [...] cpan.org - Status changed from 'open' to 'resolved'