Skip Menu |

This queue is for tickets about the POE CPAN distribution.

Report information
The Basics
Id: 76314
Status: resolved
Priority: 0/
Queue: POE
People
Owner: Nobody in particular
Requestors: DYLAN [...] cpan.org
Cc: dylan.doxey [...] gmail.com
AdminCc:
Bug Information
Severity: Important
Broken in: 1.352
Fixed in: (no value)

History Show all quoted text
  Wed Apr 04 19:45:22 2012 DYLAN [...] cpan.org - Ticket created
CC: dylan.doxey [...] gmail.com
Subject: Taint Checking and DNS Lookup
Using POE::Component::Client::HTTP with taint checking. I've attached http_client.pl to recreate the issue. Problem 1 POE::Component::Resolver dies with "addr is not a string ... " This can be narrowed down to Socket/GetAddrInfo.c line 279: if( !SvPOK(addr) ) croak("addr is not a string"); The workaround for this was a patch: diff POE/Component/Resolver.pm POE/Component/Resolver.pm.bak 440,456d439 < my %cp_address; < < for my $k ( keys %{$address_rec} ) { < < if ( defined $address_rec->{$k} < && $address_rec->{$k} =~ m{\A ( .* ) \z}xms ) < { < $cp_address{$k} = $1; < } < else { < < $cp_address{$k} = $address_rec->{$k}; < } < } < < $address_rec = \%cp_address; < Problem 2 POE::Wheel::SocketFactory dies with "Insecure dependency in socket while running with -T switch at /usr/local/share/perl/5.10.1/POE/Wheel/SocketFactory.pm line 614." The workaround for this was a patch: diff POE/Wheel/SocketFactory.pm POE/Wheel/SocketFactory.pm.bak 613,617d612 < if ( $self->[MY_SOCKET_DOMAIN] =~ m{\A ( \w+ ) \z}xms ) { < < $self->[MY_SOCKET_DOMAIN] = $1; < } <
Subject: http_client.pl
#!/usr/bin/perl -Tw use strict; use warnings; { use POE qw( Session Component::Client::HTTP ); use HTTP::Request; } my $URL = 'http://google.com/'; exit go(@ARGV) if !caller; sub go { { local $ENV{PATH} = '/usr/local/bin'; POE::Component::Client::HTTP->spawn( Alias => 'http-client', Protocol => 'HTTP/1.0', ); } POE::Session->create( inline_states => { _start => \&_start, get_it => \&get_it, got_it => \&got_it, _stop => \&_stop, } ); POE::Kernel->run(); return 0; } sub _start { my ( $kernel, $heap_rh ) = @_[ KERNEL, HEAP ]; print "starting ... \n"; $kernel->yield( 'get_it', $URL ); return; } sub get_it { my ( $kernel, $heap_rh, $url ) = @_[ KERNEL, HEAP, ARG0 ]; my $req = HTTP::Request->new( 'GET', $url ); print "get $url\n"; return $kernel->post( 'http-client', 'request', 'got_it', $req ); } sub got_it { my ( $kernel, $heap_rh ) = @_[ KERNEL, HEAP ]; my ( $req_ra, $res_ra ) = @_[ ARG0, ARG1 ]; my $url = $req_ra->[0]->uri(); my $content = $res_ra->[0]->content(); my $code = $res_ra->[0]->code(); print "got HTTP $code, ", ( length $content )," bytes from $url\n"; return; } sub _stop { my ( $kernel, $heap_rh ) = @_[ KERNEL, HEAP ]; print "shutting down ... "; $|++; $kernel->call( 'http-client', 'shutdown' ); print "done\n"; return; } __END__
  Sun Apr 29 19:08:31 2012 RCAPUTO [...] cpan.org - Correspondence added
Simplified changes committed. They still pass your test case. PoCo::Resolver: commit 401d307f6ea076b0152e51caf53717ebf7616c90 Author: Rocco Caputo <rcaputo@cpan.org> Date: Sun Apr 29 18:46:27 2012 -0400 [rt.cpan.org 76314] Untaint addresses before Socket::GetAddrInfo. Dylan Doxey pointed out that Socket::GetAddrInfo rejects tainted addresses. Untaint them first, per his recommendation and test case. POE: commit 5f22fcada8b4493dcbcd83c5716c929dc56949f6 Author: Rocco Caputo <rcaputo@cpan.org> Date: Sun Apr 29 18:44:46 2012 -0400 [rt.cpan.org 76314] Untaint externally supplied domains. Resolves part of the ticket reported by Dylan Doxey. Thank you for the test case, Dylan!
  Sun Apr 29 19:08:32 2012 The RT System itself - Status changed from 'new' to 'open'
  Sun Apr 29 19:08:32 2012 RCAPUTO [...] cpan.org - Status changed from 'open' to 'resolved'