> I was wondering whether you tracked down the cause of tainted input of > PostgreSQL prepare statements. You posted a while back this > workaround: > > 'Instead of 'Taint => 0' try: TaintIn=>0, TaintOut=>1 > (these more selective attributes were added in DBI 1.31)' > > But I was looking for a fix in a new version of amavisd so I wouldnt > have to keep patching for every upgrade. Thanks.
As far as I can tell, it happens in DBD/Pg.pm line 281, which is within its sub last_insert_id. In order to find the last insert index, it constructs its internal SELECT, then reads $oid: my $oid = $sth->fetchall_arrayref()->[0][0]; which according to Taint=>1 attribute in DBI->connect comes back tainted. This tainted $oid is then used to construct $SQL, which, when given as argument to $dbh->prepare($SQL), causes prepare() to die of taint violation: > > Insecure dependency in parameter 1 of > > DBI::db=HASH(0x1612700)->prepare method call while running with -T switch > > at /usr/local/perl/lib/site_perl/5.8.6/sun4-solaris/DBD/Pg.pm line 281 Apart from not using Taint=>1 in amavisd-new when using PostgreSQL and working around the problem in DBD::Pg, there isn't much I can do. It is a bug in DBD::Pg and needs to be fixed there. I wouldn't like to fix what isn't broken. Mark ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
