Bug #45710 for Net-FTPSSL: Net::FTPSSL "Use of uninitialized value" (with proposed fix)

Mon May 04 18:39:21 2009 DJenkins [...] istreamfs.com - Ticket created

Subject:	Net::FTPSSL "Use of uninitialized value" (with proposed fix)
Date:	Mon, 4 May 2009 17:38:42 -0500
To:	bug-Net-FTPSSL [...] rt.cpan.org
From:	"Dennis Jenkins" <DJenkins [...] istreamfs.com>

Hello, First, thank you very much for Net::FTPSSL. This module is exactly what I needed. I am implementing an in-house FTP solution using the Net::FTPSSL module (ver 0.08 on perl 5.8.8). I came across a bug / issue (feature?) in that the module reports two errors about use of an uninitialized variable when executing "$ftp->nlst" against an empty directory on the FTP server. The uninitialized variable is "$dati" and is defined on line 305 (at top of function "list"). By changing the line from "my $dati;" to "my $dati = "";" the problem goes away. It works for me, but I have not done any extensive testing against multiple servers. This is my code (simplified) that uses your FTPSSL module: use strict; use Net::FTPSSL; sub recv_process($$) { my $ftp_user = shift; my $ftp_pass = shift; my $ftp = Net::FTPSSL->new($ftp_host, Port=>$ftp_port, Timeout=>15, Debug=>$ftp_debug ) or die "Can't connect to $ftp_host: $@"; $ftp->login ($ftp_user, $ftp_pass) or die "FTP Error: ", $ftp->message; $ftp->cwd ("/Inbox") or die "FTP cwd('/Inbox') failed: ", $ftp->message; my @dir = $ftp->nlst ("") or die "FTP 'nlst' failed: ", $ftp->message; $ftp->binary() or die "FTP 'binary' failed: ", $ftp->message; foreach my $file (@dir) { if ($fake_it) { print "Cowardly refusing to download file: $file\n"; } else { my $local_file = $download_dir . "/" . $file; if ($verbose) { print "Saving: $local_file\n"; } $ftp->get ($file, $local_file) or die "FTP 'get $file' failed ", $ftp->message; } } print "\n"; $ftp->quit; } And the results of executing it with "Debug=>1" (user, pass, ip obfuscated): ftpc-1 bofa # ./bofa_xfer.pl -test -v -recv -d SKT <<< 220 SSP FTP Server ready. SKT >>> AUTH TLS SKT <<< 234 Security data exchange complete. Show quoted text

>>> USER xxxxxxxxxx

<<< 331 User name okay, need password. Show quoted text

>>> PASS *******

<<< 230 User xxxxxxxxxx logged in. Show quoted text

>>> CWD /Inbox

<<< 250 Requested file action okay, completed. Show quoted text

>>> PBSZ 0

<<< 200 PBSZ command successful. Show quoted text

>>> PROT P

<<< 200 PROT command successful. Show quoted text

>>> PASV

<<< 227 Entering Passive Mode (nnn,nnn,nnn,nnn,53,114) Show quoted text

>>> NLST

<<< 125 Data connection already open; transfer starting. <<< 226 Closing data connection, ASCII transfer complete. Use of uninitialized value in substitution (s///) at /usr/lib/perl5/vendor_perl/5.8.8/Net/FTPSSL.pm line 341. Use of uninitialized value in length at /usr/lib/perl5/vendor_perl/5.8.8/Net/FTPSSL.pm line 385. FTP 'nlst' failed: 226 Closing data connection, ASCII transfer complete. at ./bofa_xfer.pl line 395. My perl packages: ftpc-1 bofa # equery list perl [ Searching for package 'perl' in all categories among: ] * installed packages [I--] [ ] app-admin/perl-cleaner-1.05 (0) [I--] [ ] dev-lang/perl-5.8.8-r5 (0) [I--] [ ] sys-devel/libperl-5.8.8-r2 (1) [I--] [ ] virtual/perl-MIME-Base64-3.07 (0) [I--] [ ] virtual/perl-Storable-2.18 (0) [I--] [ ] virtual/perl-Sys-Syslog-0.27 (0) [I--] [ ] virtual/perl-Test-Harness-3.10 (0) [I--] [ ] virtual/perl-Test-Simple-0.80 (0) Yes, I do have a bug in my own code. $ftp->nlst() can return no rows and that should not fail. But the issue at hand is the errors in "FTPSSL.pm" on lines #341 and #385. I am running a stock "perl 5.8.8" on a Gentoo Linux server. I installed "Net::FTPSSL" using "g-cpan" to create a Gentoo portage overlay (if you are unfamiliar, "portage" is Gentoo's package management system). If you need further details, please don't hesitate to contact me. Ps- I'm not a perl wizard. I know just enough to shoot myself in the foot. Dennis Jenkins Network Security Architect iStream Financial Services 262-432-1560 CONFIDENTIALITY NOTICE This electronic mail and the information contained herein are intended for the named recipient only. It may contain confidential, proprietary and/or privileged information. If you have received this electronic mail in error, please do not read any text other than the text of this notice and do not open any attachments. Also, please immediately notify the sender by replying to this electronic mail or by collect call to (262) 796-0925. After notifying the sender as described above, please delete this electronic mail message immediately and purge the item from the deleted items folder (or the equivalent) of your electronic mail system. Thank you.

Message body is not shown because it is too large.

Wed May 06 16:54:54 2009 CLEACH [...] cpan.org - Correspondence added

Hi Dennis, I'm glad you like the Net-FTPSSL module. I'm finding it very usefull myself and having positive feedback like this makes it more enjoyable to maintain this module. I'm already aware of that particular bug. I remember fixing it, and since you are already at v0.08, it must have been in the release I'm currently working on (v0.09). But the trace you gave me in your email it either didn't go with the error message you encountered or my server handled it differently. So I'll make sure I go over my fix again. (My server threw a 5xx message instead of a 125 message in this case. But there's no reason why different servers can't handle zero rows returned differently.) I hope to have v0.09 out in the next couple of weeks that includes this fix. I'm trying to find the time to finish debugging a couple of my changes so that I can package up this new release. Curtis

Wed May 06 16:54:55 2009 The RT System itself - Status changed from 'new' to 'open'

Wed May 06 17:25:05 2009 CLEACH [...] cpan.org - Broken in 0.08 added

Wed May 06 17:32:53 2009 DJenkins [...] istreamfs.com - Correspondence added

Subject:	RE: [rt.cpan.org #45710] Net::FTPSSL "Use of uninitialized value" (with proposed fix)
Date:	Wed, 6 May 2009 16:32:26 -0500
To:	bug-Net-FTPSSL [...] rt.cpan.org
From:	"Dennis Jenkins" <DJenkins [...] istreamfs.com>

Thank you. I'm glad to help. The FTPS server is at Bank of America. I don't know what FTPS server software they run, other than I don't think that it is anything open-source. In the chance that this email is publically archived, I can't disclose the login banner or any further specifics. FFEIC, OTS, FDIC types get nervous about disclosing such things :) I can test your 0.09 module at any time; if you'd like it tested before you "ship" it. Thank you for your contribution to us netizens, it is much appreciated. I previously tried to use Net::FTP tunneled via "tlswrap", but that failed with the BofA FTPS server. Your Net::FTPSSL module saved the day. I can possibly discuss specifics with you off-line if that would be helpful. Dennis Jenkins Network Security Architect iStream Financial Services 262-432-1560 CONFIDENTIALITY NOTICE This electronic mail and the information contained herein are intended for the named recipient only. It may contain confidential, proprietary and/or privileged information. If you have received this electronic mail in error, please do not read any text other than the text of this notice and do not open any attachments. Also, please immediately notify the sender by replying to this electronic mail or by collect call to (262) 796-0925. After notifying the sender as described above, please delete this electronic mail message immediately and purge the item from the deleted items folder (or the equivalent) of your electronic mail system. Thank you. Show quoted text

-----Original Message----- From: Curtis Leach via RT [mailto:bug-Net-FTPSSL@rt.cpan.org] Sent: Wednesday, May 06, 2009 3:55 PM To: Dennis Jenkins Subject: [rt.cpan.org #45710] Net::FTPSSL "Use of uninitialized value" (with proposed fix) <URL: https://rt.cpan.org/Ticket/Display.html?id=45710 > Hi Dennis, I'm glad you like the Net-FTPSSL module. I'm finding it very usefull myself and having positive feedback like this makes it more enjoyable to maintain this module. I'm already aware of that particular bug. I remember fixing it, and since you are already at v0.08, it must have been in the release I'm currently working on (v0.09). But the trace you gave me in your email it either didn't go with the error message you encountered or my server handled it differently. So I'll make sure I go over my fix again. (My server threw a 5xx message instead of a 125 message in this case. But there's no reason why different servers can't handle zero rows returned differently.) I hope to have v0.09 out in the next couple of weeks that includes this fix. I'm trying to find the time to finish debugging a couple of my changes so that I can package up this new release. Curtis

Wed May 13 14:40:46 2009 CLEACH [...] cpan.org - Correspondence added

Dennis Thank you for your offer to test out my changes. Attached is an early release for v0.09. I'm mostly interested in if it corrects your empty directory problem, but feel free to test out anything else you care to try. I've also included the latest test script that should test basic functionality of the module. But the test script doesn't check for your particular problem. Please let me know how it works out. Curtis

Message body is not shown because it is too large.

Wed May 13 14:58:12 2009 DJenkins [...] istreamfs.com - Correspondence added

Subject:	RE: [rt.cpan.org #45710] Net::FTPSSL "Use of uninitialized value" (with proposed fix)
Date:	Wed, 13 May 2009 13:57:50 -0500
To:	bug-Net-FTPSSL [...] rt.cpan.org
From:	"Dennis Jenkins" <DJenkins [...] istreamfs.com>

Ok. I'll need a few days to re-test the ability to "put" and "get" files (I have nothing to push or pull to the target FTPS server right now. However, I am able to login and list "no files" without error, so my original bug report has been addressed. I did a diff between 0.08 and your 0.09. Your changes are significant enough that "diff" gave up and showed the entire files as one huge delta. White-space differences maybe? I was just curious about what else you've changed in the implementation. Again, thank you for your work on this perl module. It's awesome! Dennis Jenkins Network Security Architect iStream Financial Services 262-432-1560 CONFIDENTIALITY NOTICE This electronic mail and the information contained herein are intended for the named recipient only. It may contain confidential, proprietary and/or privileged information. If you have received this electronic mail in error, please do not read any text other than the text of this notice and do not open any attachments. Also, please immediately notify the sender by replying to this electronic mail or by collect call to (262) 796-0925. After notifying the sender as described above, please delete this electronic mail message immediately and purge the item from the deleted items folder (or the equivalent) of your electronic mail system. Thank you.

Sat May 30 11:12:07 2009 CLEACH [...] cpan.org - Fixed in 0.09 added

Sat May 30 11:14:51 2009 CLEACH [...] cpan.org - Status changed from 'open' to 'resolved'