tags:

views:

536

answers:

2

I have an old Python based web form that I am updating to use a GPG for encyption instead of a no longer supported python package. When call the script via the command line it works just fine, but via the web brower and CGI there is a error: IOError: [Errno 32] Broken pipe. This error occurs if I use the gnupg package or if I try to talk to gpg directly via subprocess.

Versions:

Python 2.4.1 
gnupg 0.2.2 (python GPG wrapper)
Apache/2.2.9 
gpg 1.4.9

Here is a simplified script:

#!/usr/bin/python 

import sys
# send python tracebacks out to the web browser
sys.stderr = sys.stdout
import gnupg
gpg = gnupg.GPG()
gpgkey = 'np'
message = 'Our secret message!'
print "Content-type: text/html\r\n"
print '''<html><head><title>Test GPG access via cgi</title>
          </head><body><pre>'''
print 'message in the clear:'
print message
encrypted = str(gpg.encrypt(message, 'np'))
print 'message encrypted:' 
print encrypted
print '''</pre></body></html>'''sf

When the the above script is called via the command line, it runs just fine but when called via CGI it generates the following errors:

message in the clear:
Our secret message!
Traceback (most recent call last):
  File "/home/dkmaster/www/nickads/secure-cgi/gpgtest.py", line 23, in 
    encrypted = str(gpg.encrypt(message, 'np'))
  File "/home/dkmaster/www/nickads/secure-cgi/gnupg.py", line 517, in encrypt
    return self.encrypt_file(StringIO(data), recipients, **kwargs)
  File "/home/dkmaster/www/nickads/secure-cgi/gnupg.py", line 467, in encrypt_file
    self._handle_io(args, file, result, passphrase=passphrase)
  File "/home/dkmaster/www/nickads/secure-cgi/gnupg.py", line 201, in _handle_io
    _copy_data(file, stdin)
  File "/home/dkmaster/www/nickads/secure-cgi/gnupg.py", line 75, in _copy_data
    outstream.write(data)
IOError: [Errno 32] Broken pipe

I also tried to talk to GPG directly via subprocess and not the gnupg module.

#!/usr/bin/python

import sys
import subprocess
sys.stderr = sys.stdout
print "Content-type: text/html\r\n"
print '''<html><head><title>Test subprocess via cgi</title>
           </head><body><pre>'''

plain_text = 'the quick fox ' * 10
print plain_text
gpgCommand = "/usr/bin/gpg --quiet -a -e -r 'np' "
gpgProcess = subprocess.Popen(
                      gpgCommand,
                      stdin=subprocess.PIPE, 
                      stdout=subprocess.PIPE, 
                      stderr=subprocess.PIPE, 
                      shell=True
                      )
encrypted_text = gpgProcess.communicate(plain_text)[0]
print encrypted_text

Again this works fine from the command line, but not via CGI which generates a similar error:

Traceback (most recent call last):
  File "/home/dkmaster/www/nickads/secure-cgi/subprocesstest.py", line 20, in 
    encrypted_text = gpgProcess.communicate(plain_text)[0]
  File "/usr/lib/python2.5/subprocess.py", line 670, in communicate
    return self._communicate(input)
  File "/usr/lib/python2.5/subprocess.py", line 1220, in _communicate
    bytes_written = self._write_no_intr(self.stdin.fileno(), buffer(input, input_offset, 512))
  File "/usr/lib/python2.5/subprocess.py", line 999, in _write_no_intr
    return os.write(fd, s)
OSError: [Errno 32] Broken pipe

So how do I fix the pipes in CGI?

A: 

Good question - I'm not sure that it's either a python-gnupg issue or even a gpg issue. It might be an issue with subprocess or cgi or some interaction between the two. What happens if you try this with a very minimal script which reads from stdin and writes the output to a file? Does that work?

It's also worth enabling logging to see what that throws up, if anything. See the test_gnupg.py script for an example on how to do that.

Vinay Sajip
A: 

I know my answer might come too late, but I recently had the same problem and I think I could solve it.

GPG seems to output some stuff ("You need a passphrase" blabla) to the terminal regardless of stdout being redirected - don't ask me how :)

However, the Broken Pipe seems to occur because gpg can't output these messages in a cgi environment (happens for me with uwsgi). It even prints them out if --quiet was passed. It only seems to be really really quiet if you pass --batch additionally.

fredreichbier