[EMAIL PROTECTED] wrote: [...]
Index: env.pm
===================================================================
RCS file: /home/cvs/modperl-2.0/t/response/TestDirective/env.pm,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -u -r1.5 -r1.6
--- env.pm 25 Sep 2004 19:01:15 -0000 1.5
+++ env.pm 25 Sep 2004 19:30:07 -0000 1.6
@@ -88,7 +88,7 @@
PerlSetEnv TestDirective__env_srv2 env_srv2
# XXX: temp workaround
- PerlPostReadRequestHandler Apache::OK
+ PerlPostReadRequestHandler 'sub { use Apache::Const qw(DECLINED); DECLINED }'
And that uncovered an old-new problem of calling modperl_croak and following it by any eval call, which is the case above (as it's an anonymous handler). At the moment 'make test' fails at t/filter/in_str_bin_data.t, because it happens to run next in the same interpreter after the test t/filter/in_error, the error is:
Insecure dependency in eval while running setgid. Callback called exit.
So we need to figure out how to safely untaint the global interpreter taint-state after modperl_croak was called.
So I've committed a fix that turns the tainted-state to FALSE before running each callback and restoring it afterwards to the original state.
I'm not entirely sure whether this is perfectly safe, but I don't think, callbacks should affect each other taintedness state.
Notice that my patch does not turns -T off internally, it just resets the PL_tainted flag.
If you think it has security implications please make yourself heard. I'm not entirely sure this change is 100% safe.
One of the main problems we are trying to solve is that when modperl_croak called (which calls perl's croak(Nullch) to throw an error object) it leaves the interprter in the tainted state (which supposedly will be fixed in 5.8.6) which later affects other callbacks that call eval, etc, which triggers perl crash with: Insecure dependency in eval while running setgid. Callback called exit.
-- __________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
