Note: please don't spam any of the e-mail addresses which you see here. Follow this link if you want some addresses to misuse.
From: Kenneth Tindle <ktindle@uky.edu>
Date: Thu, 07 Aug 2003 15:42:58 -0400
Subject: PPR: ppop vs. PPOP.pm saga continues
David,
I have good news and bad news.
You were right: open2() did care about the environment being tainted.
But it still does not work.
a)I applied your fix to PPOP.pm
b)Ran ./show_queues.cgi
c)Got a taint complaint about {BASH_ENV}
d)Ran strace -o show_queues-1.log -f ./show_queues.cgi
to capture this state for examination
e)Added three new lines to PPOP.pm to mirror your fix,
but this time unset BASH_ENV as well as PATH
f)Ran ./show_queues.cgi, and did not see an obvious complaint
g)Tried it in a browser, it still didn't work "ppop not ready"
h)Ran strace -o show_queues-2.log -f ./show_queues.cgi
i)Looking at the log, Perl seems mad about a missing multi-
thread environment, so
j)Ran rpm -qa | grep perl > perl-list
I'm fuzzy on this last bit, as I'm not an expert stack trace
interpreter. But my Perl installation could be incomplete
without being "broken." Or, it just might be broken...
I have posted:
show_queues-1.log
show_queues-2.log
perl-list
on:
ftp://www.uky.edu/pub/aatf/PPR/
For the sake of further laughter, I ran my previous little
test script as both ppr and pprwww, and it worked OK.
The key here must be a critical difference between your Perl
installation and mine. Yours should have cared about the
tainted environment, but didn't. This is mysterious.
It might be of some note, as open2() is simply a wrapper
around standard Unix things like exec, that the kernel on
this machine is NOT the Red Hat kernel with the backported
2.5 POSIX (pthread) elements. It is a pure vanilla,
kernel.org kernel, 2.4.20. This may have broken the Red
Hat pre-compiled Perl stuff, although the 1.50a2 ppop did
work just fine. WHY am I not running the Red Hat kernel!?
Can't. This machine is a 440GX chipset, and its BIOS has
a broken APIC implementation, so the pthread stuff will fail.
Your latest changes to ppop may have made a critical
difference, exposing a mis-match between Red Hat open2()
and the new ppop. Can't say for sure, as I'm not privy
to everything that might have changed for ppop release 1.51.
How well would the new de-tainted PPOP.pm work if dropped
into the slightly older ppr 1.50a2?
I can't believe this isn't working yet, after all this crap!
I wouldn't believe it if I didn't see it myself.