Author Topic: Bounce.php errors in error_log (Read 4283 times)

deanna · « **on:** October 05, 2007, 09:53:28 am »

Hello,

I attempted searching for this error here but all "variable passed" errors were on signup.php which I am not seeing here.

Evidently bounce.php has not been working for some time as the oldest of these errors dates back quite a ways.

Here are the errors

Code: [Select]

[17-Sep-2007 06:30:32] PHP Warning:  reset() [<a href='function.reset'>function.reset</a>]: Passed variable is not an array or object in /home/ddavis/public_html/listmail/bounce.php on line 42
[17-Sep-2007 06:30:32] PHP Warning:  Variable passed to each() is not an array or object in /home/ddavis/public_html/listmail/bounce.php on line 43

The server's running Apache 2.2.6/PHP 5.2.4 and is a CPanel VPS. Let me know if I need to supply any further information.

DW · « **Reply #1 on:** October 05, 2007, 10:59:23 am »

Greetings,

It looks like messages are not being properly forwarded to bounce.php.

"Test Mail Settings" should return a success message to the Administrator Email. Does it?

Please attempt to reconfigure bounce.cgi with the following instructions:
http://www.listmailpro.com/help/cgi_cpanel.html

Regards

deanna · « **Reply #2 on:** October 05, 2007, 12:04:49 pm »

Hello Dean,

As a matter of fact if I run test email settings it does produce a success message and an email is delivered to the administrator email address.

I have had the forwarder configured that way. Here it is

Code: [Select]


bounce@listmail.domain.net  	to  	|/home/user/public_html/listmail/cgi-bin/bounce.cgi

"domain" and "user" replaced with the proper domain name and user name of course.

getresults · « **Reply #3 on:** October 06, 2007, 01:23:40 am »

Quote from: "deanna"

Hello Dean,

As a matter of fact if I run test email settings it does produce a success message and an email is delivered to the administrator email address.

I have had the forwarder configured that way. Here it is
Code: [Select]
bounce@listmail.domain.net to |/home/user/public_html/listmail/cgi-bin/bounce.cgi

"domain" and "user" replaced with the proper domain name and user name of course.

I've just noticed I'm getting exactly the same error on our Hostgator dedicated server running cpanel.

DW · « **Reply #4 on:** October 08, 2007, 08:24:07 am »

Please submit your info for investigation of this issue.

Regards

deanna · « **Reply #5 on:** October 08, 2007, 09:08:39 am »

Support ticket sent, thanks Dean

DW · « **Reply #6 on:** October 10, 2007, 05:51:22 am »

Got it and see the error messages. Allow me to explain my thoughts.

From bounce.php:

Code: [Select]

while(!$done){
 if($cchar == strlen($em)) $done = 1;
 if($em[$cchar]<>"\n" && !$done){
  $cchar++;
 } else {
  $line = substr($em,$schar,$cchar-$schar);
  if($line) $lines[$cline] = $line;
  $schar=$cchar+1;
  $cline++;
  $cchar++;
 }
}

// find lines that start with To:
reset($lines);

The reset() call is failing because $lines is not set. This should only happen if line 1 is true:

Code: [Select]

if($cchar == strlen($em)) $done = 1;
Basically it's "done" before $lines, used in the reset() call, is built. Therefore I assume the email is not being forwarded properly.

Looking at bounce.cgi on the provided server I found some outdated code, previously used to try to detect which message bounced. e.g.:

Code: [Select]

$msgtype = '';
 $userid = '';
 $msgid = '';

 # find flags
 $searchstr = 'X-LM-Flags: ';
 $strpos = index($email,$searchstr);

Code: [Select]

# build command
 $sys_cmd = $http_program . "\\?";
 $sys_cmd = $sys_cmd . "mt=" . $msgtype . "\\&";
 $sys_cmd = $sys_cmd . "ui=" . $userid . "\\&";
 $sys_cmd = $sys_cmd . "mi=" . $msgid;

In conclusion, you need an updated copy of bounce.cgi from the latest files available in the member area. I had thought you wouldn't need to upgrade this file when updating ListMail from even very old versions, but apparently you do. :shock:

Please let me know if the problem continues after updating bounce.cgi.

Regards

deanna · « **Reply #7 on:** October 10, 2007, 09:42:27 am »

Good morning Dean,

I wish it were not the case but I attempted to send to a test list with one good address and one bad. Here is the content of the error_log:

Code: [Select]

[10-Oct-2007 09:12:16] PHP Warning:  reset() [<a href='function.reset'>function.reset</a>]: Passed variable is not an array or object in /home/ddavis/public_html/listmail/bounce.php on line 42
[10-Oct-2007 09:12:16] PHP Warning:  Variable passed to each() is not an array or object in /home/ddavis/public_html/listmail/bounce.php on line 43

If there is anything else I can do to help please let me know.

DW · « **Reply #8 on:** October 10, 2007, 04:30:08 pm »

After some testing I have determined that your host does not accept requests with variable data containing more than 512 characters.

Change example.com to your domain in the following links:

This one works (em=512 characters)

This one doesn't (em=513 characters)

Looking at the "phpinfo()" function I see the "suhosin extension" which by Googling is a PHP hardening add-on. This extension may be responsible for limiting the size of requests.

There is unfortunately no workaround for this at this time. bounce.php must be completely rewritten in Perl. There are plans for this to be done in the future.

Regards

DW · « **Reply #9 on:** October 10, 2007, 05:29:34 pm »

Thinking a bit more on this there is a potential workaround and that is to limit the size of em sent to bounce.php to 512. This just may be enough information for ListMail to process the bounce.

I have done this for the installation I have access to (Deanna)

In bounce.cgi, this line:

Code: [Select]

$sys_cmd = $http_program . "\\?em=" . encode(substr($email,0,4096)) . " 1> /dev/null 2> /dev/null";
Was changed to this:

Code: [Select]

$sys_cmd = $http_program . "\\?em=" . substr(encode($email),0,512) . " 1> /dev/null 2> /dev/null";
Regards

deanna · « **Reply #10 on:** October 11, 2007, 10:47:12 am »

Hello Dean,

After your pointing me in this direction I did find errors in messages and it would seem you are exactly correct:

Code: [Select]

Oct  7 07:43:17 SERVER suhosin[18313]: ALERT - configured GET variable value length limit exceeded - dropped variable 'em' (attacker 'IP#', file '/home/ddavis/public_html/listmail/bounce.php')

I could raise this limit but 4k seems awfully high and rather defeats the purpose of this block (which is suhosin.get.max_value_length by the way). Will the 512 work or is there a slightly higher number you would prefer to see?

Thanks!

DW · « **Reply #11 on:** October 12, 2007, 05:33:00 am »

The size should be enough for the incoming message headers, the bouncing servers bounce report / error message, and the headers of the returned/bounced message so, guessing really, I recommend raising it to at least 2k.

Have you been subject to a large GET-based attack? These should be quite rare and ineffective... I don't see any additional danger to raising the limit.

Regards

deanna · « **Reply #12 on:** October 12, 2007, 07:31:05 am »

Alright Dean I have raised the limit to 2048 and edited the cgi file to that as well.

No I have not be subject to such an attack but there are many attacks I have not been subject to. Does that mean I want to leave myself exposed to them?

We shall see how this goes and I will look for your next release.

Thanks!

deanna · « **Reply #13 on:** October 12, 2007, 09:13:38 am »

I am happy to announce that 2k worked perfectly on a test mailing.

I do apologize for this having been a server config problem although now you know what needs to be done if you run across anyone else that is using Suhosin at least.

Thanks!