List Info

Thread: Trouble with pgsql: Insecure dependency in parameter 1 of DBI
Trouble with pgsql: Insecure dependency in parameter 1 of DBI
user name
 2007-02-21 04:36:56 
I've been trying to change the sql backend from mysql to
postgresql
(8.1), the latest hindrance leaves the following in
mail.log:

Feb 21 11:13:47 censored amavis[16546]: (16546-01-5) WARN
save_info_preliminary: Insecure dependency in parameter 1
of
DBI::db=HASH(0xa678130)->prepare method call while
running with -T
switch at /usr/lib/perl5/DBD/Pg.pm line 277, <GEN21>
line 709.
Feb 21 11:13:48 censored amavis[16544]: (16544-02-5) WARN
save_info_preliminary: Insecure dependency in parameter 1
of
DBI::db=HASH(0xa6781fc)->prepare method call while
running with -T
switch at /usr/lib/perl5/DBD/Pg.pm line 277, <GEN21>
line 1127.
Feb 21 11:13:48 censored amavis[16547]: (16547-02-5) WARN
save_info_preliminary: Insecure dependency in parameter 1
of
DBI::db=HASH(0xa67393c)->prepare method call while
running with -T
switch at /usr/lib/perl5/DBD/Pg.pm line 277, <GEN21>
line 3025.
Feb 21 11:13:48 censored amavis[16542]: (16542-02-5) WARN
save_info_preliminary: Insecure dependency in parameter 1
of
DBI::db=HASH(0xa6782bc)->prepare method call while
running with -T
switch at /usr/lib/perl5/DBD/Pg.pm line 277, <GEN21>
line 2293.
Feb 21 11:13:48 censored amavis[16543]: (16543-02-4) WARN
save_info_final: Insecure dependency in parameter 1 of
DBI::db=HASH(0xa678208)->prepare method call while
running with -T
switch at /usr/lib/perl5/DBD/Pg.pm line 277, <GEN21>
line 2316.

There are a lot more different line-numbers after
<GEN21> than that
though. I've googled and this is assumed to be perl
taint-problems;
I'm no perl-wizard so what do I do?

I'm only using postgres to store the "log" now, as
a test, but nothing
is actually logged to it. By switching back to mysql the
above types
of messages disappear.

I'm currently running amavisd-new 2.3.3 (with about ten
lines of
extras), perl 5.8.4, libdbd-pg-perl (DBD::Pg) 1.41.


HM.

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
Re: Trouble with pgsql: Insecure dependency in parameter 1 of DBI
country flaguser name
Slovenia		 2007-02-21 05:56:46 
Hanne Moa,

> I've been trying to change the sql backend from mysql
to postgresql
> (8.1), the latest hindrance leaves the following in
mail.log:
>
> Feb 21 11:13:47 censored amavis[16546]: (16546-01-5)
WARN
> save_info_preliminary: Insecure dependency in parameter
1 of
> DBI::db=HASH(0xa678130)->prepare method call while
running with -T
> switch at /usr/lib/perl5/DBD/Pg.pm line 277,
<GEN21> line 709.

> I'm only using postgres to store the "log"
now, as a test, but nothing
> is actually logged to it. By switching back to mysql
the above types
> of messages disappear.
>
> I'm currently running amavisd-new 2.3.3 (with about ten
lines of
> extras), perl 5.8.4, libdbd-pg-perl (DBD::Pg) 1.41.

If I remember well there is a bug in
DBD::Pg::last_insert_id()
which does not untaint results from internally generated
SELECT.
Don't know if it was fixed since, but later versions of
amavisd-new
avoided the problem altogether by not needing last_insert_id
any longer.

I'd suggest to first try upgrading DBD::Pg and DBI to their
current
version, and if that does not fix it, use amavisd-new-2.4.5,
at least
as a test (the config file is upwards compatible, you only
have to
replace the file 'amavisd').

Note minor compatibility issues with SQL:

amavisd-new-2.4.4 release notes:
 COMPATIBILITY WITH 2.4.3
- PostgreSQL quarantining: data type of field
quarantine.mail_text should
  be 'bytea' (instead of 'text') to allow storing arbitrary
octets without
  associating them with a character set.  See below for a
conversion of an
  existing database. Similarly with MySQL the data type
should be 'blob'.

amavisd-new-2.4.2 release notes:
 COMPATIBILITY WITH 2.4.1:
  There are no incompatible changes since 2.4.1, but please
notice below
  the fixes to SQL and to LDAP documentation, which may
affect you.
 BUG FIXES AND CHANGES since 2.4.1:
- README.sql PostgreSQL notes: fixed incorrect advice in
README.sql which
  suggested to declare a field msgs.time_iso as TIMESTAMP
WITHOUT TIME ZONE
  instead of the correct TIMESTAMP WITH TIME ZONE. [...]



Some other taint-related issues fixed by later versions of
amavisd-new:

amavisd-new-2.4.2 release notes

- perl taint workaround in lookup_sql() where SQL select
clause
  could become tainted; problem reported by Christer
Borang;

amavisd-new-2.4.0 release notes

- require minimal version 1.43 of DBI, working
last_insert_id is needed;

- untaint recip_score_boost when writing a log report entry
to SQL;
  'Insecure dependency in parameter 7' could have been
reported when
  SQL-based score_sender lookup table is used; reported by
Jim Knuth;


Mark

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
Re: Trouble with pgsql: Insecure dependency in parameter 1 of DBI
country flaguser name
Slovenia		 2007-02-22 04:41:11 
Hanne Moa,

> > I'd suggest to first try upgrading DBD::Pg
>
> Doing this alone does not solve the problem. What is it
with perl and
> tainting anyway? *sigh*

This time it is not Perl's fault, it is a genuine bug (or
omission)
in DBD::Pg, if the problem is what I think it is.

> When exactly did amavis stop using last_insert_id()?
2.4.5 isn't in
> backports (the newest there is 2.4.2), that's why I'm
asking, as local
> policy is to go to backports for newer stuff and never
build
> ourselves.

amavisd-new-2.4.0 release notes

- internal/coding: when logging to SQL avoid a need for
last_insert_id()
  by doing SELECT after INSERT when adding a new e-mail
address to table maddr;
  this also avoids a rollback/retry when more than one
process tries to insert
  the same new address into a database;


Mark

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
Re: Trouble with pgsql: Insecure dependency in parameter 1 of DBI
country flaguser name
Slovenia		 2007-02-26 10:44:20 
Hanne Moa,

> Oh, and here's an update for README.sql.txt:
>
> When using postgres instead of mysql and you are
sufficiently
> paranoid, don't just remove "UNSIGNED"
throughout the table
> definitions but add "CHECK (<name_of_col>
>= 0)" to the end of al the
> unsigned types, to assure that no negative numbers can
be stored in 'em.
> So:  id int UNSIGNED NOT NULL -> id int NOT NULL
CHECK (id >= 0)

Thanks. I have just split the README.sql documentation file
into three,
as the number of differences in details between MySQL and
the rest
made the monolythic approach difficult to read:

  README.sql        general SQL considerations and some
examples
  README.sql-mysql  MySQL-specific notes and schema
  README.sql-pg     PostgreSQL-specific notes and schema
(also SQLite)

(also on the web page). The README.sql-pg now includes your
suggestion
about added CHECK. Further SQL-related documentation updates
are welcome.

  Mark

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )