Apache2::compat from mod_perl 2.0.3 -- multiple issues

2007-03-23 Thread Joshua Hoblitt 
It seems that compat.pm isn't 'use strict' clean even thou it is declaring this
pragma.

# Error:  Bareword "Apache2::ServerUtil::server_root" not allowed while 
"strict subs" in use at 
/usr/lib/perl5/site_perl/5.8.8/i686-linux/Apache2/compat.pm line 347,  
line 9.

This error is caused by 'Apache2::ServerUtil::server_root' (note that
missing '()') and this repeated in several places through-out compat.pm.

Commenting out the 'use strict' at the top of compat.om reveals another more
serious error:

# Error:  Undefined subroutine &Apache2::ServerUtil::restart_count 
called at /usr/lib/perl5/site_perl/5.8.8/i686-linux/Apache2/compat.pm line 76, 
 line 9.

Which I assume is supposed to be provided by ServerUtil.so except that this
symbol isn't defined in this lib.

nm ./Apache2/ServerUtil/ServerUtil.so | grep restart
1cf0 T XS_Apache2__ServerUtil_restart_count
 U modperl_restart_count

Any ideas as to what might have gone wrong in the build?

-J

--


pgprXcYHtXGTZ.pgp
Description: PGP signature

Re: Having problems installing mod_perl on Slackware

2007-03-23 Thread Philip M. Gollucci 
[Thu Mar 22 21:34:14 2007] [error] [client 127.0.0.1] Handler for 
modperl returned invalid result code 2
# Failed test 3 in 
/usr/src/mod_perl-2.0.3/t/response/TestAPI/server_const.pm at line 39

This was due API changes from 2.2.3 -> 2.2.4 in httpd.
This is largely irrelevant for general mp use since its just the Server 
'Banner' functions.


This is also about to be fixed in SVN and will be part of 2.0.4

See Message-ID: <[EMAIL PROTECTED]>
for the patch thats in the works from Gozer.


--

Philip M. Gollucci ([EMAIL PROTECTED]) 323.219.4708
Consultant / http://p6m7g8.net/Resume/resume.shtml
Senior Software Engineer - TicketMaster - http://ticketmaster.com
1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88 A0BF

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

Re: [RELEASE CANDIDATE] mod_perl-1.30 RC1

2007-03-23 Thread Geoffrey Young 
Randal L. Schwartz wrote:
>>"Philippe" == Philippe M Chiasson <[EMAIL PROTECTED]> writes:
> 
> 
> Philippe> SECURITY: CVE-2007-1349 (cve.mitre.org)
> 
> Is it disinformation at
>  that says it was
> assigned on march *8th*.  Last I looked, it was closer to the 23rd.  Weird.
> 
> Or is the number copied wrong?

I've been told both are correct - the numbers are allocated in advance
to the ASF contact person, who then assigns them to projects as necessary.

--Geoff

Re: Having problems installing mod_perl on Slackware

2007-03-23 Thread Eric Snyder 
I notice that at the top it references Apache/2.2.4. I attenpted to use 
2.2.4 first and when that did not work configured, compiled and 
installed 2.0.59. Is there a leftover that may be causing this problem?


Log contents:

END in modperl_extra.pl, pid=7593
[Thu Mar 22 21:33:01 2007] [notice] Apache/2.2.4 (Unix) world domination 
series/2.0 mod_perl/2.0.3 Perl/v5.8.8 configured -- resuming normal 
operations

[Thu Mar 22 21:33:01 2007] [info] Server built: Mar 20 2007 21:35:24
[Thu Mar 22 21:33:01 2007] [debug] prefork.c(991): AcceptMutex: sysvsem 
(default: sysvsem)


*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [info] [client 127.0.0.1] TestAPI::aplog test 
in progress


*** The following warn entry is expected and harmless ***
This log message comes with no header

*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [debug] aplog.pm(71): log_serror test 1

*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [debug] aplog.pm(83): (20014)Internal error: 
log_serror test 2


*** The following error entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [crit] [client 127.0.0.1] (20007)No time was 
provided and one was required.: log_rerror test


*** The following error entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [error] $r->log_error test

*** The following error entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [error] $s->log_error test

*** The following error entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [error] access to /TestAPI__aplog failed for 
127.0.0.1, reason: $r->log_reason test


*** The following error entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [error] access to filename failed for 
127.0.0.1, reason: $r->log_reason filename test


*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [debug] aplog.pm(144): TestAPI::aplog test done
[Thu Mar 22 21:33:38 2007] [notice] [client 127.0.0.1] This message 
should appear with LogLevel=error!


*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [warn] $s->warn test

*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [warn] Apache2::ServerRec::warn test

*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [warn] Apache2::ServerRec::warn test

*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:33:38 2007] [warn] warn test

*** The following error entry is expected and harmless ***
[Thu Mar 22 21:34:09 2007] [error] Process 7602 terminates itself\n
[Thu Mar 22 21:34:14 2007] [error] [client 127.0.0.1] Handler for 
modperl returned invalid result code 2
[Thu Mar 22 21:34:14 2007] [error] [client 127.0.0.1] Handler for 
modperl returned invalid result code 2
# Failed test 3 in 
/usr/src/mod_perl-2.0.3/t/response/TestAPI/server_const.pm at line 39


*** The following error entry is expected and harmless ***
[Thu Mar 22 21:35:28 2007] [error] Apache::log_error test ok

*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:35:28 2007] [warn] Apache->warn ok

*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:35:28 2007] [warn] Apache::warn ok

*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:35:28 2007] [warn] Apache::Server->warn ok

*** The following warn entry is expected and harmless ***
[Thu Mar 22 21:35:28 2007] [warn] Apache::Server::warn ok

*** The following error entry is expected and harmless ***
[Thu Mar 22 21:36:12 2007] [error] [client 127.0.0.1] APR::Socket::recv: 
(11) Resource temporarily unavailable at 
/usr/src/mod_perl-2.0.3/t/response/TestError/runtime.pm line 156


*** The following error entry is expected and harmless ***
[Thu Mar 22 21:36:12 2007] [error] [client 127.0.0.1] Undefined 
subroutine &TestError::runtime::no_such_func called at 
/usr/src/mod_perl-2.0.3/t/response/TestError/runtime.pm line 150.\n


*** The following error entry is expected and harmless ***
[Thu Mar 22 21:36:12 2007] [error] [client 127.0.0.1] APR::Socket::recv: 
(11) Resource temporarily unavailable at 
/usr/src/mod_perl-2.0.3/t/response/TestError/runtime.pm line 
156\n\tTestError::runtime::mp_error('APR::Socket=SCALAR(0x947b1f8)') 
called at /usr/src/mod_perl-2.0.3/t/response/TestError/runtime.pm line 
75\n\tTestError::runtime::die_hook_confess_mp_error('Apache2::RequestRec=SCALAR(0x9474560)', 
'APR::Socket=SCALAR(0x947b1f8)') called at 
/usr/src/mod_perl-2.0.3/t/response/TestError/runtime.pm line 
31\n\tTestError::runtime::handler('Apache2::RequestRec=SCALAR(0x9474560)') 
called at -e line 0\n\teval {...} called at -e line 0\n


*** The following error entry is expected and harmless ***
[Thu Mar 22 21:36:12 2007] [error] [client 127.0.0.1] Undefined 
subroutine &TestError::runtime::no_such_func called at 
/usr/src/mod_perl-2.0.3/t/response/TestError/runtime.pm li

Mod_perl and win32 --more experience

2007-03-23 Thread Tümer Garip 


Hi all,
There has been quite a few reports about mod_perl causing segment faults
in Win32 boxes on the list (including me). Thanks to all that responded
with suggestions. Here is my latest findings:
1- I have mod_perl2.0.3 apache2.2.4 working on a Windows 2003 box.(Dual
xceleron IBM server)
2- Using standart binaries for perl (activePerl and Apache) is perfectly
fine. No need to compile them yourself.
3- XML::Libxml or anything that uses it like XML::Simple will definitely
crash the system under heavy load. I now use Expat and under most heavy
tests it survives. This is a very usefull package and may be somebody
will look into it.
4- Another culprit was a not a very common package HTML::Template::Pro.
Segment faults  (saying free to wrong pool) again under heavy use. I now
use HTML::Template and works fine.

So I can now say Mod_Perl rocks on a production Library system running
on Windows Box.

Hope it helps to others
Tumer Garip

Mod_Perl2 vs. Mod_Perl1, MPM_WORKER....

2007-03-23 Thread Jason Rosenberg 
Hi,

I¹m just wondering what the mod_perl intelligencia thinks about the choice
between using mod_perl1 vs. mod_perl2

Is there a reason not to go with the newer mod_perl2 (and Apache2, of
course).  Is it stable and well accepted at this point?  It seems like a
great number of people still use mod_perl1.

Further, what success have people had using threading with mod_perl2, using
MPM_WORKER?

Jason

Re: [RELEASE CANDIDATE] mod_perl-1.30 RC1

2007-03-23 Thread Randal L. Schwartz 
> "Philippe" == Philippe M Chiasson <[EMAIL PROTECTED]> writes:

Philippe> SECURITY: CVE-2007-1349 (cve.mitre.org)

Is it disinformation at
 that says it was
assigned on march *8th*.  Last I looked, it was closer to the 23rd.  Weird.

Or is the number copied wrong?

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

[RELEASE CANDIDATE] mod_perl-1.30 RC1

2007-03-23 Thread Philippe M. Chiasson 
The mod_perl 1.30 release candidate #1 has arrived. It can be
downloaded here:

http://www.apache.org/~gozer/mp1/mod_perl-1.30-rc1.tar.gz

MD5 : 639e045d782a66746a70b7948dfa
SHA1: 942eaffe4570a9060b3a0ed7de52ac902d054cbb

The summary of what has changed since 1.29 are (from Changes):

SECURITY: CVE-2007-1349 (cve.mitre.org)
fix unescaped variable interpolation in Apache::PerlRun
regular expression to prevent regex engine tampering.
reported by Alex Solovey
[Randal L. Schwartz , Fred Moyer <[EMAIL PROTECTED]>]

Pull in the new Apache-SizeLimit from
http://svn.apache.org/repos/asf/perl/Apache-SizeLimit/trunk
and obsolete the previous lib/Apache/SizeLimit.pm.
[Philip M. Gollucci]

Fix an Apache::(Registry|PerlRun) bug caused by special characters
in the url [EMAIL PROTECTED]

Display a more verbose message if Apache.pm can't be loaded
[Geoffrey Young]

Fix incorrect win32 detection in Apache::SizeLimit reported by
Matt Phillips <[EMAIL PROTECTED]> [Philippe M. Chiasson]

The print-a-scalar-reference feature is now deprecated and documented
as such [Stas]

fix "PerlSetVar Foo 0" so that $r->dir_config('Foo') returns 0, not undef
[Geoffrey Young]

for some reason .pm files during the modperl build see $ENV{PERL5LIB}
set in Makefile.PL, which is used for generating Makefiles, as
"PERL5LIB=/path:/another/path" instead of "/path:/another/path"
essentially rendering this env var useless. I'm not sure why, may be
MakeMaker kicks in somewhere. Trying to workaround by
s/PERL5LIB/PERL5LIB_ENV/, using anything that's not PERL5LIB. [Stas]

change $INC{$key} = undef; to delete $INC{$key}; in PerlFreshRestart
[Geoffrey Young]

Fix a bug in Makefile.PL for Win32 where it would, in
certain cases, pick up the wrong Perl include directory
[Steve Hay]


Philippe M. Chiasson GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5
http://gozer.ectoplasm.org/   m/gozer\@(apache|cpan|ectoplasm)\.org/

Problem building mod_perl2 on Mac OS X 10.4.9, Intel

2007-03-23 Thread Jason Rosenberg 

-8<-- Start Bug Report 8<--
1. Problem Description:

  I¹m having a problem building mod_perl2 on a Mac, OS X 10.4.9, Intel

  It fails during the Œmake¹ step, apparently during the final link step:


env MACOSX_DEPLOYMENT_TARGET=10.3 cc -bundle -undefined dynamic_lookup
-Wl,-search_paths_first -arch ppc -arch i386
-Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk -mmacosx-version-min=10.3 \
 \
mod_perl.lo modperl_interp.lo modperl_tipool.lo modperl_log.lo
modperl_config.lo modperl_cmd.lo modperl_options.lo modperl_callback.lo
modperl_handler.lo modperl_gtop.lo modperl_util.lo modperl_io.lo
modperl_io_apache.lo modperl_filter.lo modperl_bucket.lo modperl_mgv.lo
modperl_pcw.lo modperl_global.lo modperl_env.lo modperl_cgi.lo
modperl_perl.lo modperl_perl_global.lo modperl_perl_pp.lo modperl_sys.lo
modperl_module.lo modperl_svptr_table.lo modperl_const.lo
modperl_constants.lo modperl_apache_compat.lo modperl_error.lo
modperl_debug.lo modperl_common_util.lo modperl_common_log.lo
modperl_hooks.lo modperl_directives.lo modperl_flags.lo modperl_xsinit.lo
modperl_exports.lo  -Wl,-search_paths_first -arch ppc -arch i386
-Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk -mmacosx-version-min=10.3
-L/usr/local/ActivePerl-5.8/lib/CORE -lperl -ldl -lm -lc \
-o mod_perl.so
/usr/bin/usr/bin/ld: -syslibroot: multiply specified
/ldcollect2: ld returned 1 exit status
: -syslibroot: multiply specified
collect2: ld returned 1 exit status
lipo: can't open input file: /var/tmp//cc5BN4aP.out (No such file or
directory)
make[1]: *** [mod_perl.so] Error 1
make: *** [modperl_lib] Error 2



2. Used Components and their Configuration:

*** mod_perl version 2.03

*** using 
/Users/jrosenberg/Downloads/mod_perl-2.0.3/lib/Apache2/BuildConfig.pm

*** Makefile.PL options:
  MP_APR_LIB => aprext
  MP_APXS=> /usr/local/apache2/bin/apxs
  MP_COMPAT_1X   => 1
  MP_GENERATE_XS => 1
  MP_LIBNAME => mod_perl
  MP_USE_DSO => 1


*** The httpd binary was not found


*** (apr|apu)-config linking info

 -L/usr/local/apache2/lib -laprutil-1 -lsqlite3 -lexpat -liconv
-L/usr/local/apache2/lib
 -L/usr/local/apache2/lib -lapr-1 -lpthread



*** /usr/local/ActivePerl-5.8/bin/perl -V
Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
  Platform:
osname=darwin, osvers=8.8.0, archname=darwin-thread-multi-2level
uname='darwin sphinx 8.8.0 darwin kernel version 8.8.0: fri sep 8
17:18:57 pdt 2006; root:xnu-792.12.6.obj~1release_ppc power macintosh
powerpc '
config_args='-ders -Dcc=gcc -Dusethreads -Duseithreads -Ud_sigsetjmp
-Uinstallusrbinperl -Ulocincpth= -Uloclibpth= -Ud_poll -Ui_poll
-Ud_setitimer -Ud_getitimer -Ud_pthread_atfork -Ud_msg -Ud_attribute_format
-Ud_attribute_malloc -Ud_attribute_nonnull -Ud_attribute_noreturn
-Ud_attribute_pure -Ud_attribute_unused -Ud_attribute_warn_unused_result
-Aldflags=-Wl,-search_paths_first -Alddlflags=-Wl,-search_paths_first
-Accflags=-arch ppc -arch i386 -Aldflags=-arch ppc -arch i386
-Alddlflags=-arch ppc -arch i386 -Accflags=-nostdinc
-B/Developer/SDKs/MacOSX10.4u.sdk/usr/include/gcc
-B/Developer/SDKs/MacOSX10.4u.sdk/usr/lib/gcc
-isystem/Developer/SDKs/MacOSX10.4u.sdk/usr/include
-F/Developer/SDKs/MacOSX10.4u.sdk/System/Library/Frameworks
-mmacosx-version-min=10.3
-Aldflags=-Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk
-mmacosx-version-min=10.3
-Alddlflags=-Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk
-mmacosx-version-min=10.3 -Accflags=-DUSE_SITECUSTOMIZE -Duselargefiles
-Accflags=-DNO_HASH_SEED -Dprefix=/usr/local/ActivePerl-5.8
-Dprivlib=/usr/local/ActivePerl-5.8/lib
-Darchlib=/usr/local/ActivePerl-5.8/lib
-Dsiteprefix=/usr/local/ActivePerl-5.8/site
-Dsitelib=/usr/local/ActivePerl-5.8/site/lib
-Dsitearch=/usr/local/ActivePerl-5.8/site/lib -Dsed=/usr/bin/sed
-Duseshrplib -Dconfig_heavy=Config_dynamic.pl -Dcf_by=ActiveState
[EMAIL PROTECTED]'
hint=recommended, useposix=true, d_sigaction=define
usethreads=define use5005threads=undef useithreads=define
usemultiplicity=define
useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
use64bitint=undef use64bitall=undef uselongdouble=undef
usemymalloc=n, bincompat5005=undef
  Compiler:
cc='gcc', ccflags ='-fno-common -DPERL_DARWIN -no-cpp-precomp -arch ppc
-arch i386 -nostdinc -B/Developer/SDKs/MacOSX10.4u.sdk/usr/include/gcc
-B/Developer/SDKs/MacOSX10.4u.sdk/usr/lib/gcc
-isystem/Developer/SDKs/MacOSX10.4u.sdk/usr/include
-F/Developer/SDKs/MacOSX10.4u.sdk/System/Library/Frameworks
-mmacosx-version-min=10.3 -DUSE_SITECUSTOMIZE -DNO_HASH_SEED
-fno-strict-aliasing -pipe -Wdeclaration-after-statement',
optimize='-O3',
cppflags='-no-cpp-precomp -fno-common -DPERL_DARWIN -no-cpp-precomp
-arch ppc -nostdinc -B/Developer/SDKs/MacOSX10.4u.sdk/usr/include/gcc
-B/Developer/SDKs/MacOSX10.4u.sdk/usr/lib/gcc
-isystem/Developer/SDKs/MacOSX10.4u.sdk/usr/include
-F/Developer/SDKs/MacOSX10.4u.sdk/System/Library/Frameworks
-mmacosx-version-min=10.3 -D

Re: MP1 Security issue

2007-03-23 Thread Randal L. Schwartz 
> "Randal" == Randal L Schwartz  writes:

Randal> However, for mp2, since the listed modules all use
Randal> ModPerl::RegistryCooker, and the problem is in there, my list is still
Randal> accurate.

Ugh.  Yes, I see it now.  While ModPerl::RegistryCooker has the problem, some
of the modules (like ModPerl::Registry) don't use the affected code.  So the
problem would be more accurately stated as a bug in RegistryCooker, that
affects users of *that* module's namespace_from_uri routine.  And you've
determined that none of the shipped end-user modules use that?  That's good,
as it will narrow the damage.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Re: MP1 Security issue

2007-03-23 Thread Alex Solovey 

On 3/23/07, Randal L. Schwartz  wrote:

You're correct.  It has been fixed in Apache::Registry for MP1.  I'm sorry I
overlooked that last night.  For mp1, it affects only users of
Apache::PerlRun.

However, for mp2, since the listed modules all use ModPerl::RegistryCooker,
and the problem is in there, my list is still accurate.


Not quite. In mp2, the problem is in RegistryCooker.pm, sub
namespace_from_uri which is not called from anywhere in default setup,
including PerlRun and Registry _unless_ default behaviour is overriden
but something like

*ModPerl::MyRegistry::namespace_from =
   \&ModPerl::RegistryCooker::namespace_from_uri;

This may be present in some users code though, especially if it is
migrated to mp2 from mp1 where uri-based namespaces were default, but
I do not think it is common.

--  Alex

Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols)

2007-03-23 Thread Alex Solovey 

On 3/23/07, Geoffrey Young <[EMAIL PROTECTED]> wrote:

as for mp2, nothing in the current distribution is affected -
ModPerl::Registry and ModPerl::PerlRun are both filesystem based and not
uri based.  however, if you use RegistryCooker to roll your own
non-standard Registry handler and are using the non-standard uri-based
methods then you will want to examine your code.


Indeed, default mp2 setup is not affected. One cannot reproduce this
problem unless something like
  *ModPerl::MyRegistry::namespace_from =
\&ModPerl::RegistryCooker::namespace_from_uri;
is done.

-- Alex

Re: MP1 Security issue

2007-03-23 Thread Randal L. Schwartz 
> "Geoffrey" == Geoffrey Young <[EMAIL PROTECTED]> writes:

Michael> Not quite. It only affects people running PerlRun. Not insignificant,
Michael> but definitely not everyone.
>> 
>> No, it affects users of all script-like things, both mod_perl1 (users of
>> Apache::Registry, Apache::PerlRun), and mod_perl2 (users of ModPerl::PerlRun,
>> ModPerl::PerlRunPrefork, ModPerl::Registry, ModPerl::RegistryBB,
>> ModPerl::RegistryPrefork).  They've all copied the same common code.

Geoffrey> this is fud.  please stop.  please read my recent emails, or take the
Geoffrey> time to examine the code in detail.

You're correct.  It has been fixed in Apache::Registry for MP1.  I'm sorry I
overlooked that last night.  For mp1, it affects only users of
Apache::PerlRun.

However, for mp2, since the listed modules all use ModPerl::RegistryCooker,
and the problem is in there, my list is still accurate.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Re: MP1 Security issue

2007-03-23 Thread Geoffrey Young 

> Michael> Not quite. It only affects people running PerlRun. Not insignificant,
> Michael> but definitely not everyone.
> 
> No, it affects users of all script-like things, both mod_perl1 (users of
> Apache::Registry, Apache::PerlRun), and mod_perl2 (users of ModPerl::PerlRun,
> ModPerl::PerlRunPrefork, ModPerl::Registry, ModPerl::RegistryBB,
> ModPerl::RegistryPrefork).  They've all copied the same common code.

this is fud.  please stop.  please read my recent emails, or take the
time to examine the code in detail.

--Geoff

Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols)

2007-03-23 Thread Geoffrey Young 

> I was able to reproduce this in mp1.
> 
> for the interested, a fix has been put in place in svn for mod_perl 1.0,
> which you can grab from here:
> 
>   https://svn.apache.org/repos/asf/perl/modperl/branches/1.x/
> 
> furthermore, as michael pointed out, the problem is isolated to
> Apache::PerlRun - Apache::Registry has had a similar fix in it since
> mid-2000 and Apache::RegistryNG is filename based, not url based.

as for mp2, nothing in the current distribution is affected -
ModPerl::Registry and ModPerl::PerlRun are both filesystem based and not
uri based.  however, if you use RegistryCooker to roll your own
non-standard Registry handler and are using the non-standard uri-based
methods then you will want to examine your code.

--Geoff

Re: MP1 Security issue

2007-03-23 Thread Randal L. Schwartz 
> "Michael" == Michael Peters <[EMAIL PROTECTED]> writes:

Michael> Randal L. Schwartz wrote:
>>> "Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
>> 
Alex> The problem is due to unescaped variable interpolation in regular
Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
>> 
>> I don't want to raise too many alarms, but this means that every MP1 server
>> has a denial-of-service attack against it now.

Michael> Not quite. It only affects people running PerlRun. Not insignificant,
Michael> but definitely not everyone.

No, it affects users of all script-like things, both mod_perl1 (users of
Apache::Registry, Apache::PerlRun), and mod_perl2 (users of ModPerl::PerlRun,
ModPerl::PerlRunPrefork, ModPerl::Registry, ModPerl::RegistryBB,
ModPerl::RegistryPrefork).  They've all copied the same common code.

And yes, not everyone.  Anyone who has actual "handlers", instead of just
using mod_perl to "speed up content delivery by migrating legacy Perl CGI",
won't be affected by this.  But for the vast public out there, these
"superfast scripts" are what mod_perl is.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Re: MP1 Security issue

2007-03-23 Thread Randal L. Schwartz 
> "Geoffrey" == Geoffrey Young <[EMAIL PROTECTED]> writes:

Geoffrey> this sensationalism was just flat-out irresponsible.  I don't doubt
Geoffrey> that it's true, but not giving us dev folks time to address the
Geoffrey> issue with a security release is going to cause more headaches than
Geoffrey> it otherwise would have.

Geoffrey> in the future, if anyone has a security issue with any apache
Geoffrey> product, the proper path to follow is to send a brief email to
Geoffrey> [EMAIL PROTECTED]  those guys will make sure it gets routed to
Geoffrey> the appropriate place (the mod_perl pmc and core development team in
Geoffrey> this case) and we'll work with you to get it clarified and resolved.

I get around.  I read various mailing lists.   I'm not a dumb guy about
Perl stuff.  And by the way, I've already been yelled at. :)

But this thing about "[EMAIL PROTECTED]" is something that I wouldn't have
thought to look for.  And even if I had thought to look for it, what web site
describes it?  A quick google for "security mod_perl" doesn't point it out in
the first ten hits or so, and searching literally for it links it far more
with the Apache server itself, not mod_perl, and mostly historical links.

So please don't tell me that I should have known about a secret mailing list.
That's being a bit presumptive.  I thought I *was* notifying the most
appropriate list (the mod_perl developers).  Perhaps your job for the *next*
breakage is to make sure your secret mailing list is a bit more public, if you
want security reports to go there instead of here.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols)

2007-03-23 Thread Geoffrey Young 
Kjetil Kjernsmo wrote:
> On Friday 23 March 2007 14:57, Geoffrey Young wrote:
> 
>>fwiw, I am unable to reproduce this in either mp1 or mp2 using what I
>>consider a basic setup.
> 
> 
> I have also failed to reproduce the problem on 2.0.3 with my setup. 
> Also, we are very liberal on what kind of usernames, and thus what 
> special characters can enter the URI, and in some cases they go through 
> a registry script, and we have not observed any crashes due to this. 

I was able to reproduce this in mp1.

for the interested, a fix has been put in place in svn for mod_perl 1.0,
which you can grab from here:

  https://svn.apache.org/repos/asf/perl/modperl/branches/1.x/

furthermore, as michael pointed out, the problem is isolated to
Apache::PerlRun - Apache::Registry has had a similar fix in it since
mid-2000 and Apache::RegistryNG is filename based, not url based.

--Geoff

Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols)

2007-03-23 Thread Kjetil Kjernsmo 
On Friday 23 March 2007 14:57, Geoffrey Young wrote:
> fwiw, I am unable to reproduce this in either mp1 or mp2 using what I
> consider a basic setup.

I have also failed to reproduce the problem on 2.0.3 with my setup. 
Also, we are very liberal on what kind of usernames, and thus what 
special characters can enter the URI, and in some cases they go through 
a registry script, and we have not observed any crashes due to this. 

Best,

Kjetil
-- 
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA

Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols)

2007-03-23 Thread Geoffrey Young 
Michael Peters wrote:
> Randal L. Schwartz wrote:
> 
>>>"Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
>>
>>Alex> The problem is due to unescaped variable interpolation in regular
>>Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
>>
>>I don't want to raise too many alarms, but this means that every MP1 server
>>has a denial-of-service attack against it now.
> 
> 
> Not quite. It only affects people running PerlRun. Not insignificant, but
> definitely not everyone.

fwiw, I am unable to reproduce this in either mp1 or mp2 using what I
consider a basic setup.

this does not mean that I don't agree with the assessments thus far.
but one thing it does mean, though, is that we can't be sure we have a
fix in place if we are unable to verify before and after scenarios.

so, I could use some help here.  if anyone is able to reproduce it
please email me PRIVATELY with

  o relevant httpd.conf
  o sample script

again, watch your reply-all button - no need to expose things to the
world and forever in google at the moment :)

alternatively, anyone with an interest can join #mp-security on
irc.pobox.com (irc.perl.org) so we can get this resolved quickly.

--Geoff

Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols)

2007-03-23 Thread Michael Peters 
Randal L. Schwartz wrote:
>> "Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
> 
> Alex> The problem is due to unescaped variable interpolation in regular
> Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
> 
> I don't want to raise too many alarms, but this means that every MP1 server
> has a denial-of-service attack against it now.

Not quite. It only affects people running PerlRun. Not insignificant, but
definitely not everyone.

-- 
Michael Peters
Developer
Plus Three, LP

Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols)

2007-03-23 Thread Geoffrey Young 
Randal L. Schwartz wrote:
>>"Randal" == Randal L Schwartz  writes:
> 
> 
>>"Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
> 
> Alex> The problem is due to unescaped variable interpolation in regular
> Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
> 
> Randal> I don't want to raise too many alarms, but this means that every MP1
> Randal> server has a denial-of-service attack against it now.
> 
> And MP2 as well, from ModPerl::RegistryCooker:
> 
> my $path_info = $self->{REQ}->path_info;
> my $script_name = $path_info && $self->{URI} =~ /$path_info$/
> ? substr($self->{URI}, 0, length($self->{URI}) - length($path_info))
> : $self->{URI};
> 
> Wonderful.  Won't take long until this makes the rounds.  Better start
> getting the patches out and the press releases.

this sensationalism was just flat-out irresponsible.  I don't doubt that
it's true, but not giving us dev folks time to address the issue with a
security release is going to cause more headaches than it otherwise
would have.

in the future, if anyone has a security issue with any apache product,
the proper path to follow is to send a brief email to
[EMAIL PROTECTED]  those guys will make sure it gets routed to the
appropriate place (the mod_perl pmc and core development team in this
case) and we'll work with you to get it clarified and resolved.

--Geoff

Re: Partial HTML

2007-03-23 Thread Anthony Gardner 
We are running through a load balancer with port forwarding. Why could it be at 
that end?

What this project have coded is a "sub request" to get data from our server to 
include in the original call  hence the HTML is only partial. When I say 
"sub request" I mean, they go via the outside world. So it's really a second 
request.

I have just been looking to see if that can be done with an 
$r->internal_redirect() but it doesn't work. 

$subr= $r->lookup_file( '/some/path' ); 
$subr->run()

only returns the RC_CODE and $r->internal_redirect()  doesn't return anything.

At present, I think they want to keep the second request to produce stats. So, 
I would like to keep the second request internally to prevent possible timeouts 
etc while maintaining their stats.

Any help would be greatly appreciated.

CIA

-Ants


Jonathan Vanasco <[EMAIL PROTECTED]> wrote: 
On Mar 22, 2007, at 11:40 AM, Anthony Gardner wrote:

> If Partial HTML is sent  to the client,  could it possibly cause  
> the IO flush error? The HTML in question would be something like  
> .
 and sent back thus 

are you running through a load balancer / proxy ?  it could be on  
that end.





-
 What kind of emailer are you? Find out today - get a free analysis of your 
email personality. Take the quiz at the Yahoo! Mail Championship.

[Fwd: CPAN Upload: P/PG/PGOLLUCCI/Apache-DBI-1.06.tar.gz]

2007-03-23 Thread Philip M. Gollucci 

The uploaded file

Apache-DBI-1.06.tar.gz

has entered CPAN as

  file: $CPAN/authors/id/P/PG/PGOLLUCCI/Apache-DBI-1.06.tar.gz
  size: 33833 bytes
   md5: ba05c9b7a437e8d974c81d948d162825

No action is required on your part
Request entered by: PGOLLUCCI (Philip M. Gollucci)
Request entered on: Fri, 23 Mar 2007 09:05:45 GMT
Request completed:  Fri, 23 Mar 2007 09:06:35 GMT

Thanks,

Changes Since 1.05:

  - MP2/AuthDBI: Fixed Apache::AuthDBI::debug() to
actually work.
Submitted by: [Kevin Appel <[EMAIL PROTECTED]>]

  - Bump minium required perl version to 5.6.1 to match DBI
(Changes in DBI 1.49 (svn rev 2287),   29th November 2005)
Philip M. Gollucci <[EMAIL PROTECTED]>



Philip M. Gollucci ([EMAIL PROTECTED]) 323.219.4708
Consultant / http://p6m7g8.net/Resume/resume.shtml
Senior Software Engineer - TicketMaster - http://ticketmaster.com
1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88 A0BF

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

[RELEASE CANDIDATE] Apache-SizeLimit 0.91 RC2

2007-03-23 Thread Philip M. Gollucci 

A release candidate for Apache-SizeLimit 0.91-RC2 is now available.

http://people.apache.org/~pgollucci/asl/Apache-SizeLimit-0.91-rc2.tar.gz

Please download, test, and report back.

I believe this will be the last Release Candidate for .91.

*** Pending a successful release, This package will be integrated into
*** both mod_perl 1.x and mod_perl 2.x CORE distributions.

Changes since 0.91-RC1:

 - Minor fixes to the test suite to skip them on darwin


Philip M. Gollucci ([EMAIL PROTECTED]) 323.219.4708
Consultant / http://p6m7g8.net/Resume/resume.shtml
Senior Software Engineer - TicketMaster - http://ticketmaster.com
1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88 A0BF

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.