#foswiki 2014-09-05,Fri

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
Lynnwoodhi folks - I’ve just run into the issue of editing SitePreferences while {Site}{Locale} is enabled: Tasks/Item11953 [00:52]
gac410yeah enabling locales is not very well supported.
You will also get corruption of verbatim blocks iirc
[00:53]
LynnwoodI’m not sure about the short term fix prior to 1.2. Folks talk there about disabling {Site}{Locale} but not sure what that means: having a blank value or disabling {UseLocale}?
yikes
that could cause lots of mischief
[00:53]
gac410Not sure it's even going to be supported in 1.2. [00:54]
Lynnwoodso should one turn off {UseLocale} or just not a value in {Site}{Locale}?
or remove taint?
[00:54]
gac410we are talking of removing taint as well, but there are other issues. Nobody is really working on them. [00:55]
Lynnwoodwould i do that by editing the bin script? [00:55]
gac410Yes. I plan to make a rewrite-shebang change to toggle the taint flag too. [00:55]
Lynnwoodcould one just do it to edit since that’s where the issue currently is? [00:56]
gac410I think you just disable UseLocale ... Disabing taint gives you about a 10% performance imrpovement as well. [00:56]
Lynnwoodperformance has been pretty good... [00:57]
gac410If you have Locales, the issue is that the system Locale files taint all the regexes. Any character class regex will end up tainted. [00:57]
Lynnwoodgotcha
odd that i didn’t run into this before...
i just moved this site from one installation to another and this wasn’t an issue there...
or before… on prior server.
[00:57]
gac410Need to be on a very recent perl ... Locales are badly broken on old perls [00:58]
Lynnwoodall..
ah.
[00:58]
gac410At least 5.14 but preferably even newer. [00:58]
Lynnwoodso… maybe i’ll check which version of perl is running on each. [00:58]
gac410y That can make a difference. [00:59]
Lynnwoodok well there you go
the server that was working is running perl 5, version 14
the one that’s broken is running v5.10.1
so perhaps i can get perl updated on server and fix things...
[00:59]
gac410gac410 has decided perlbrew or maybe plenv are the way to go Rather than waiting for the distros to catch up. [01:05]
Lynnwoodi was reading up on perlbrew recently
i was interested in it for Mac but didn’t consider it for servers (mostly ubuntu)
[01:06]
gac410my servers use the os perl, but updating is so painful I'm always delaying updates. On my laptop I run perlbrew. 1/2 dozen versions or so I bounce between [01:09]
Lynnwoodhow is updating them painful?
i haven’t run into much trouble in the past.
[01:14]
gac410Just rebuilding / updating all the cpan modules. Some of my cpan mods have been difficult to install. [01:15]
Lynnwoodah [01:16]
gac410It's gentoo, so updates are a bit more involved. But it's knock wood - been very stable for many years. [01:16]
Lynnwoody, i guess i have run into it.
ah yes gentoo… this is the why i’ve stuck with ubuntu when i can.
[01:16]
gac410perlbrew with cpanm has just been really painless. Time to compile, but I have that issue on gentoo as well. [01:17]
Lynnwoodi’ve recently been playing with ubuntu on virtualbox for virtualized wiki.
i should write it up
i’ve been going through the whole process from scratch.
[01:17]
gac410yeah ubuntu / debian. apt-get update / upgrade has been pretty simple. dist-upgrade has been not quite as smoth
I rebuilt the foswiki virtual machine for 1.1.9 using ubuntu / dist-upgrade. etc. and rebuilt the vmdk's all using quem
er qemu
reclaiming the disk space was a challenge.
New configure on 1.2 is going to be really great. CDot did a masterful job in the rewrite. But since it runs under Foswiki engine itself, certain recovery scenarios are going to be a beast.
[01:18]
Lynnwoodsounds great.
i’m going to get to the release meeting on monday
[01:21]
gac410I built a TestBootstrapPlugin that runs the 1.2 bootstrap algorithm and reports differences from the installed configuration. We need to get test results from lots of varied servers / situations to make sure bootstrap is rock solid
CDot got bootstrap to the point that foswiki will run without any LocalSite.cfg. So a new install can access configure. But it depends upon successfully sniffing out the environment.
Linux, Apache, Short URLs, are covered pretty well. I expect nginx, lighttpd IIS, etc. are going to be more of a challenge.
But won't know until we see some bootstrap reports from the plugin.
Not this monday though. Release meeting on the 15th,
[01:21]
Lynnwoodoh yea
drats! i just realize i had it backwards.
it was working on the older version of perl and is broken on the newer!
bummer
[01:24]
gac410hm. Well defiitely try it without taint enabled. It doesn't add much value for stable systems. More of a developers tool IMO [01:25]
LynnwoodSince im using fcgid, could i simply disable taint in the one script?
or do i need to do all…
[01:26]
gac410The others are not used at all in fcgid. Just Foswiki.fcgid [01:26]
Lynnwoodexcept configure... [01:27]
gac410Ah yeay. [01:27]
Lynnwoodif it’s working, would i need to do it also?
excuse my ignorance...
[01:27]
gac410I don't think configure actually uses the locales so I doubt it matters. [01:28]
Lynnwoodright
duh
[01:28]
gac4101.2 configure is essentially an empty screen, with all info populated dynamically using jsonrpc calls Running under Engine as typical, as Foswiki::UI::Configure [01:29]
Lynnwoodwow [01:29]
gac410Complete total rewrite from the behemoth it had become with Timothe's mega shopping cart changes. [01:30]
LynnwoodAnd to remove the taint, all i need to do is change -wT to -w in shebang? [01:31]
gac410Correct [01:31]
Lynnwoodwell, it’s not there.
simply: #! /usr/bin/perl
it is in edit script.
but you say that this isn’t called if using fcgid
[01:33]
gac410Right. The only script called in fcgi env is Foswiki.fcgid
(and configure)
[01:35]
Lynnwoodso… if taint is not enabled there, where would it be? [01:35]
gac410hm. I have no idea.
let me look a bit.
[01:35]
hm. i'm not finding much. One comment i saw suggests that fcgi automatically uses taint mode in certain suid situations. [01:41]
Lynnwoodcould it be calls to rest script?
ajax calls and such?
[01:44]
gac410They would all go to Foswiki.fcgid as well I'd think [01:44]
Lynnwoodok [01:45]
gac410Depends upon your apache config. Do you have them set as CGI or fcgid? [01:45]
Lynnwoodguess i’ll look.
y, i guess i would rewrite all calls to the bin directory to fcgid
[01:45]
gac410http://lists.bestpractical.com/pipermail/rt-users/2003-December/019454.html [01:48]
***Vampire0 has quit IRC (Ping timeout: 240 seconds) [01:53]
Lynnwoodfor what it’s worth… searching the entire foswiki 1.1.9 directory for the shebang with taint enabled finds the scripts in bin, plus one other: /lib/Foswiki/Func.pm
i’m afriad i couldn’t make much of the link you provided.
[01:54]
gac410Func.pm has a shebang. That's not right [01:55]
Lynnwoodlooks kind bleak in regards to disabling taint with fcgi [01:55]
gac410yeah this is awful news
Check your systems. Are the fcgid processes running with the same uid / gid as apache itself
ps ux -U apache -u apache (or www-data or whatever)
If fcgid and apache are the same uid/gid, then that doesn't explain the taint issue.
[01:55]
Lynnwoodthey are running as same user
actually, i see right there the taint call
[02:02]
gac410where? [02:02]
Lynnwoodwww-data 4219 0.0 0.3 65372 30604 ? S Sep01 0:00 /usr/bin/perl -wT /var/www/xxxxx/bin/foswiki.fcgi [02:03]
gac410Ah...
yup... just checked my system. same thing And same uid/gid so that's not the answer
[02:03]
Lynnwoodwell, guess i’ll content myself for now with disabling locale
got to head to bed
thanks for the help. maybe i’ll revisit it tomorrow
[02:15]
gac410I've dug into mod_fcgid source And a few other place. I don't find it anywyere. [02:16]
Lynnwoodand i can’t find any references for turning off taint for fcgi… [02:18]
gac410me either. This is pretty poor. [02:18]
Lynnwoodi find some comments about it being turned on and that being an issue at times...
so… the purpose of using locale in checking regexes is that it is more exact in what it should let through?
or it is just broken ready to happen?
[02:18]
gac410No, Locale is needed to correctly match character classes. :Alpha: is different based upon locale. [02:21]
Lynnwoodsure, ok [02:21]
gac410But Locale is pulled in externally from the os. So perl considers any regex that touches external locale data to generate tainted results. [02:22]
Lynnwoodhow would i see this come up as issue (e.g. in turing off locale)? [02:22]
gac410Jast spent quite a bit of time working on it. In some cases it appears that perl gives you no way to untaint some regexes.
TBH I'm not the person to ask. I'm here in the us, and ascii works for me. It becomes more an issue with non-english languages, with unicode characters in the alphabet
[02:22]
Lynnwoodright [02:24]
gac410http://jk.gs/perlunicode.html [02:24]
Lynnwoodi do have one site (the one i just updated) that supports several Euro languages. [02:24]
gac410yeah so they might start having issues with locales disabled. I'm just not all that knowledgable. [02:25]
Lynnwoodok. yikes
so i wonder where i would see it show up as issue?
[02:25]
gac410I don't know . [02:26]
Lynnwoodpresummably with other language enabled… [02:26]
gac410No. Don't confuse languages with locale. Languages enable the translations done with pootle. Translating common messages - topic not found, etc. [02:27]
Lynnwoodright
again… i knew this… ;-)
[02:27]
gac410Locales control how things like sorting work. What's lower case, etc. [02:28]
Lynnwoodbut perhaps if they are using language with non-english characters, then it might show up in how their text is processed?
search results, sorting, etc?
[02:29]
gac410I just don't know. Best to get up early and talk to jast. [02:29]
Lynnwoodget up early?!
;-)
i get up at 6:30-7 every day to let chickens out and get kids off
[02:29]
gac410:) [02:30]
Lynnwoodbut it takes me a couple cups to get to computer [02:30]
gac410:) [02:30]
........... (idle for 50mn)
GithubBot[distro] gac410 pushed 1 new commit to master: http://git.io/i4H--Q
distro/master 336f979 George Clark: Item12952: Configure crashes HTML Validation tests...
[03:20]
***GithubBot has left [03:20]
GithubBot[TestBootstrapPlugin] gac410 pushed 1 new commit to master: http://git.io/2rO18Q
TestBootstrapPlugin/master ea13703 George Clark: Item13023: Cleanup manifest and unused files
[03:24]
***GithubBot has left [03:24]
Lynnwood has quit IRC (Quit: Lynnwood) [03:33]
........... (idle for 53mn)
gac410 has quit IRC (Quit: Leaving.) [04:26]
.............. (idle for 1h7mn)
ChanServ sets mode: +o Babar
ChanServ sets mode: +o Babar
[05:33]
gmc_ has quit IRC (Ping timeout: 268 seconds) [05:43]
.... (idle for 18mn)
ChanServ sets mode: +o MichaelDaum [06:01]
ChanServ sets mode: +o Lavr [06:11]
............... (idle for 1h11mn)
VerboEse has quit IRC (Ping timeout: 245 seconds) [07:22]
............................................ (idle for 3h37mn)
fsfs_ is now known as fsfs [10:59]
.............. (idle for 1h6mn)
ChanServ sets mode: +o Lavr
ChanServ sets mode: +o gac410
[12:05]
........ (idle for 36mn)
harlan has quit IRC (Ping timeout: 250 seconds) [12:45]
...................................... (idle for 3h7mn)
MichaelDaumMichaelDaum finished watching both tutorials at https://github.com/curran/screencasts/tree/gh-pages/introToAngular
now my head is spinning with new ideas
[15:52]
gac410gac410 is running a local "git clone --mirror" for all the repos on gh/foswiki. .... Assuming it runs to completion and then later runs again only updating the changed repos, I'll move it to foswiki.org ... But that will be after the weekend.
MichaelDaum: Then next week I'll try to finish off the ItemBranch stuff.
MichaelDaum: Lynnwood discovered last night. It's pretty much impossible to disable taint mode under fcgid. Even with it omitted from all the scripts, engine, etc, it still gets enabled when apache spawns the fcgid process.
[15:53]
MichaelDaumI disabled taint mode in in Extensions/Testing/FastCGEngineContrib.
it was checking for taint mode enabled and respawned itself if not.
so that is no really impossible
[15:57]
gac410Ah... Hopefully lynnwood sees this. He was struggling last night, upgraded perl on a client server and was forced to disable Locales. [15:58]
MichaelDaumit just requires it to be pinched [15:59]
gac410I couldn't find where taint mode was established. But maybe I was looking at your patched extension and didn't realize it. [15:59]
MichaelDaumtwo places: foswiki.fcgi and Foswiki::Engine::FastCGI::reExec()
https://github.com/foswiki/FastCGIEngineContrib/commit/ed689e67f1299e8f4dac37e6ddd3f0eb398ae858#diff-0580a1f8a5ac5d3427c1978610eec694L44 and https://github.com/foswiki/FastCGIEngineContrib/commit/ed689e67f1299e8f4dac37e6ddd3f0eb398ae858#diff-8573b4a04528e32abc33ecfa5d70eda4L175
[16:00]
gac410Excellent. I hunted for a while last night but never found the issue.
gac410 needs to find a js library for creating a $apr1$.... password hash. I'd like to restore the sudo password, but allow configure to optionally set / clear it, encrypting it in the js ui, so we never send it in the clear.
Found one implementation, but the unobfuscated source doesn't appear to be published that I could find anyway.
[16:07]
***ChanServ sets mode: +o Lavr [16:21]
GithubBot[distro] gac410 pushed 1 new commit to master: http://git.io/_dYXqw
distro/master 6efaeb7 George Clark: Item11267: Add script to mirror github repositories...
[16:31]
***GithubBot has left
gac410 has left
[16:31]
................... (idle for 1h33mn)
ChanServ sets mode: +o Lynnwood [18:07]
................................... (idle for 2h53mn)
tsnfoo has quit IRC (Quit: tsnfoo) [21:00]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)