17 July 2011

Perl: Wide character in subroutine entry

It took some time for me to trace what dies with the error "Wide character in subroutine entry," and searching for it didn't help much, either.

But in the end, it turned out that Digest::MD5::md5_hex() causes this error if its parameter contains a wide character:
use Digest::MD5 qw(md5_hex);
$x = "El\x{151}d";
md5_hex($x); # Dies with 'Wide character in subroutine entry'

I haven't tested other Digest::MD5 functions, but I hope this helps someone.

3 July 2011

PHP bug: binary characters in open_basedir allowed path and security issues

I must've been searching for the wrong keywords, as I only found the related bug report (here) after finding a fix to this problem:

I'm using WAMP Server under Windows, and when I specified "php_admin_value open_basedir" in the Apache configuration file, it worked fine after restarting all services in the WAMP server, but after the first reload, the open_basedir path magically transformed itself into a series of binary characters, and the restriction (obviously) failed. I also had the network connection reset a number of times while the browser was trying to load the page.

This was not an issue if open_basedir was specified in php.ini only.

Fortunately, the issue seems to have been fixed. It was a problem when I used Apache version 2.2.11 and PHP ver 5.3.0, but with Apache ver 2.2.17 and PHP ver 5.3.4, everything works fine. I think it was a PHP bug (although I also read an initial PHP bug report where it was apparently claimed that it wasn't), so if you encounter this error, all you have to do is to upgrade PHP.

Be warned, though, it seems that specifying open_basedir in itself is not safe enough; this report by the hardened PHP project suggests disabling the symlink function as well to avoid a possible hack.