User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Build Identifier: Bugzilla 3.0.3 gives Insecure dependency in sprintf error from attachment.cgi If a user logs into Bugzilla, it works fine. But trying to attach anything to a case results in a server error. If there is any work around or perl flag or option that can be set, that would be wonderful! Thanks. Currently out Bugzilla is pretty much dead in the water. The Apache error.log contains this: [Fri Feb 08 09:50:13 2008] [error] [client 10.4.0.19] Premature end of script headers: attachment.cgi, referer: http://10.4.1.7:5556/attachment.cgi?bugid=806&action=enter [Fri Feb 08 09:50:13 2008] [error] [client 10.4.0.19] Insecure dependency in sprintf while running with -T switch at (eval 42) line 6., referer: http://10.4.1.7:5556/attachment.cgi?bugid=806&action=enter The server is running: MySQL 5.0.51 Perl v5.10.0.1002 Apache 2.2.8 PHP5.2.5 Bugzilla 3.0.3 Windows XP SP2 perl checksetup.pl gives: * This is Bugzilla 3.0.3 on perl 5.10.0 * Running on WinXP/.Net Build 2600 (Service Pack 2) Checking perl modules... Checking for CGI (v2.93) ok: found v3.29 Checking for TimeDate (v2.21) ok: found v2.22 Checking for DBI (v1.41) ok: found v1.601 Checking for PathTools (v0.84) ok: found v3.2501 Checking for Template-Toolkit (v2.12) ok: found v2.19 Checking for Email-Send (v2.16) ok: found v2.192 Checking for Email-MIME-Modifier (any) ok: found v1.442 Checking available perl DBD modules... Checking for DBD-Pg (v1.45) not found Checking for DBD-mysql (v2.9003) ok: found v4.005 The following Perl modules are optional: Checking for GD (v1.20) ok: found v2.35 Checking for Template-GD (any) not found Checking for Chart (v1.0) not found Checking for GDGraph (any) ok: found v1.44 Checking for GDTextUtil (any) ok: found v0.86 Checking for XML-Twig (any) ok: found v3.32 Checking for MIME-tools (v5.406) ok: found v5.425 Checking for libwww-perl (any) ok: found v2.036 Checking for PatchReader (v0.9.4) ok: found v0.9.5 Checking for PerlMagick (any) not found Checking for perl-ldap (any) ok: found v0.34 Checking for SOAP-Lite (any) ok: found v0.69 Checking for HTML-Parser (v3.40) ok: found v3.56 Checking for HTML-Scrubber (any) ok: found v0.08 Checking for Email-MIME-Attachment-Stripper (any) not found Checking for Email-Reply (any) ok: found v1.202 Checking for mod_perl (v1.999022) not found Checking for CGI (v3.11) ok: found v3.29 * NOTE: You must run any commands listed below as Administrator. *********************************************************************** * Note For Windows Users * *********************************************************************** * In order to install the modules listed below, you first have to run * * the following command as an Administrator: * * * * ppm repo add theory58S http://theoryx5.uwinnipeg.ca/ppms * * * * Then you have to do (also as an Administrator): * * * * ppm repo up theory58S * * * * Do that last command over and over until you see "theory58S" at the * * top of the displayed list. * *********************************************************************** ********************************************************************** * OPTIONAL MODULES * ********************************************************************** * Certain Perl modules are not required by Bugzilla, but by * * installing the latest version you gain access to additional * * features. * * * * The optional modules you do not have installed are listed below, * * with the name of the feature they enable. If you want to install * * one of these modules, just run the appropriate command in the * * "COMMANDS TO INSTALL" section. * ********************************************************************** *********************************************************************** * MODULE NAME * ENABLES FEATURE(S) * *********************************************************************** * Template-GD * Graphical Reports * * Email-MIME-Attachment-Stripper * Inbound Email * * Chart * New Charts, Old Charts * * PerlMagick * Optionally Convert BMP Attachments to PNGs * * mod_perl * mod_perl * *********************************************************************** COMMANDS TO INSTALL: Template-GD: ppm install Template-GD Email-MIME-Attachment-Stripper: ppm install Email-MIME-Attachment-Stripper Chart: ppm install Chart PerlMagick: ppm install PerlMagick mod_perl: ppm install mod_perl Reading ./localconfig... OPTIONAL NOTE: If you want to be able to use the 'difference between two patches' feature of Bugzilla (which requires the PatchReader Perl module as well), you should install patchutils from: http://cyberelk.net/tim/patchutils/ The following variables are no longer used in ./localconfig, and should be removed: severities, platforms, opsys, priorities Checking for DBD-mysql (v2.9003) ok: found v4.005 Checking for MySQL (v4.1.2) ok: found v5.0.51a-community-nt Removing existing compiled templates ... Precompiling templates... Reproducible: Always Steps to Reproduce: 1. User goes to a bug in Bugzilla and clicks "Add Attachment" 2. He fills in the details and clicks "submit. Actual Results: He web browser shows this: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator,xxx@xxxx and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Expected Results: Attachment should be added successfully. I am pretty much running the latest stable releases of all the software, as listed above. I have googles and there are some other reports about the same type of Insecure error popping up in 3.01 in other places.. Any sort of work around would be apprecaited. Is there a way to turn this off?

I can see this, too. I suspect Perl 5.10.0 -- can you downgrade to Perl 5.8.x?

Migrating back down to Perl 5.8.8 resolved this problem. Thank you kindly Marc! At least now there is a known work around!

Tracked at http://rt.perl.org/rt3//Public/Bug/Display.html?id=50322 (from support-bugzilla@).

We may need to blacklist certain version combinations of Perl and the CGI module. Requesting blocking to get this into the release notes or minimum requirements list.

Yes, this is a known problem with CGI.pm and Perl 5.10 on versions of CGI.pm less than 3.33 (the very latest): http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2008-01/msg01376.html

(In reply to comment #1) > I can see this, too. I suspect Perl 5.10.0 -- can you downgrade to Perl 5.8.x? I should try again, but I don't remember having problem with Perl 5.10.0 and CGI.pm 3.29 (what a pity I rebooted on Linux right now, I cannot test again).

(In reply to comment #6) > I should try again, but I don't remember having problem with Perl 5.10.0 and > CGI.pm 3.29 (what a pity I rebooted on Linux right now, I cannot test again). You might have to try uploading something large enough that CGI.pm tries to use a temp file instead of storing it in memory. I don't know what the size limit is for that.

(In reply to comment #4) > We may need to blacklist certain version combinations of Perl and the CGI > module. Requesting blocking to get this into the release notes or minimum > requirements list. We shouldn't blacklist anything. CGI.pm 3.33, the latest currently available, still hasn't this fix: http://search.cpan.org/src/LDS/CGI.pm-3.33/Changes The maintainer said he would include the fix on January 30, but 3.33 has been released on January 3rd. So blacklisting CGI.pm 3.33 and older means to forbid Perl 5.10. We should rather relnote it.

Following is the result of checksetup.pl command: C:\>cd c:\bugzilla C:\Bugzilla>perl checksetup.pl * This is Bugzilla 3.0.2 on perl 5.8.8 * Running on Win2003 Build 3790 (Service Pack 2) Checking perl modules... Checking for CGI (v2.93) ok: found v3.29 Checking for TimeDate (v2.21) ok: found v2.22 Checking for DBI (v1.41) ok: found v1.58 Checking for PathTools (v0.84) ok: found v3.25 Checking for Template-Toolkit (v2.12) ok: found v2.15 Checking for Email-Send (v2.16) ok: found v2.185 Checking for Email-MIME-Modifier (any) ok: found v1.442 Checking available perl DBD modules... Checking for DBD-Pg (v1.45) not found Checking for DBD-mysql (v2.9003) ok: found v3.0002 The following Perl modules are optional: Checking for GD (v1.20) ok: found v2.16 Checking for Template-GD (any) ok: found v1.56 Checking for Chart (v1.0) ok: found v2.3 Checking for GDGraph (any) ok: found v1.43 Checking for GDTextUtil (any) ok: found v0.86 Checking for XML-Twig (any) ok: found v3.26 Checking for MIME-tools (v5.406) ok: found v5.411 Checking for libwww-perl (any) ok: found v2.036 Checking for PatchReader (v0.9.4) ok: found v0.9.5 Checking for PerlMagick (any) not found Checking for perl-ldap (any) ok: found v0.34 Checking for SOAP-Lite (any) ok: found v0.55 Checking for HTML-Parser (v3.40) ok: found v3.56 Checking for HTML-Scrubber (any) ok: found v0.08 Checking for Email-MIME-Attachment-Stripper (any) ok: found v1.313 Checking for Email-Reply (any) ok: found v1.202 Checking for mod_perl (v1.999022) not found Checking for CGI (v3.11) ok: found v3.29 Checking for Apache-DBI (v0.96) not found * NOTE: You must run any commands listed below as Administrator. *********************************************************************** * Note For Windows Users * *********************************************************************** * In order to install the modules listed below, you first have to run * * the following command as an Administrator: * * * * ppm repo add theory58S http://theoryx5.uwinnipeg.ca/ppms * * * * Then you have to do (also as an Administrator): * * * * ppm repo up theory58S * * * * Do that last command over and over until you see "theory58S" at the * * top of the displayed list. * *********************************************************************** ********************************************************************** * OPTIONAL MODULES * ********************************************************************** * Certain Perl modules are not required by Bugzilla, but by * * installing the latest version you gain access to additional * * features. * * * * The optional modules you do not have installed are listed below, * * with the name of the feature they enable. If you want to install * * one of these modules, just run the appropriate command in the * * "COMMANDS TO INSTALL" section. * ********************************************************************** *********************************************************************** * MODULE NAME * ENABLES FEATURE(S) * *********************************************************************** * PerlMagick * Optionally Convert BMP Attachments to PNGs * * mod_perl * mod_perl * * Apache-DBI * mod_perl * *********************************************************************** COMMANDS TO INSTALL: PerlMagick: ppm install PerlMagick mod_perl: ppm install mod_perl Apache-DBI: ppm install Apache-DBI Reading ./localconfig... OPTIONAL NOTE: If you want to be able to use the 'difference between two patches' feature of Bugzilla (which requires the PatchReader Perl module as well), you should install patchutils from: http://cyberelk.net/tim/patchutils/ Checking for DBD-mysql (v2.9003) ok: found v3.0002 Checking for MySQL (v4.1.2) ok: found v5.0.37-community-nt Removing existing compiled templates ... Precompiling templates... C:\Bugzilla> I am using IIS. Still I am getting this error. Please suggest.

(In reply to comment #8) > We shouldn't blacklist anything. CGI.pm 3.33, the latest currently available, > still hasn't this fix: > > http://search.cpan.org/src/LDS/CGI.pm-3.33/Changes Interesting enough, the URL above doesn't mention this fix in 3.33, but the one below does, for 3.33: http://search.cpan.org/src/LDS/CGI.pm-3.35/Changes As CGI.pm 3.35 has been released, it's now fine to require 3.33 or better with Perl 5.10.

Make sure CGI 3.33 or better is available when running Perl 5.10 or higher.

Comment on attachment 314066 [details] [diff] [review] patch, v1 I think: eval { require 5.10 } would be simpler than that vers_cmp check.

(In reply to comment #12) > eval { require 5.10 } would be simpler than that vers_cmp check. Bah, let's avoid eval {} when we can. And the syntax used in the patch is already used elsewhere. :)

Oh, and it wouldn't be simpler as you would have to check $@, making the code even bigger.

Comment on attachment 314066 [details] [diff] [review] patch, v1 Okay, that looks fine to me, then. :-)

tip: Checking in Bugzilla/Install/Requirements.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Install/Requirements.pm,v <-- Requirements.pm new revision: 1.45; previous revision: 1.44 done 3.0.3: Checking in Bugzilla/Install/Requirements.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Install/Requirements.pm,v <-- Requirements.pm new revision: 1.29.2.4; previous revision: 1.29.2.3 done

I'm not sure this was relnoted for 3.0.4, but we released it a while ago, so removing relnote keyword.

No, we didn't relnote it when releasing 3.0.4 (which wasn't released that long ago).