On Tue, Dec 10, 2002 at 04:03:13PM -0500, Sean Gray <[EMAIL PROTECTED]> wrote:
> You could try removing the -T from the first line of the offending
> perl script.
That would remove the perl taint testing, and it's there to ensure you
don't use untrusted data by mistake. Don't remove it - fix the offending
line by confirming that it is indeed the type/format of data you want
to use.
Here's an extract of perlsec(1):
Perl automatically enables a set of special security
checks, called taint mode, when it detects its program
running with differing real and effective user or group
IDs. The setuid bit in Unix permissions is mode 04000,
the setgid bit mode 02000; either or both may be set. You
can also enable taint mode explicitly by using the -T com�
mand line flag. This flag is strongly suggested for server
programs and any program run on behalf of someone else,
such as a CGI script. Once taint mode is on, it's on for
the remainder of your script.
While in this mode, Perl takes special precautions called
taint checks to prevent both obvious and subtle traps.
Some of these checks are reasonably simple, such as veri�
fying that path directories aren't writable by others;
careful programmers have always used checks like these.
You may not use data derived from outside your program to
affect something else outside your program--at least, not
by accident. All command line arguments, environment
variables, locale information (see the perllocale man�
page), results of certain system calls (readdir(), read�
link(), the variable of shmread(), the messages returned
by msgrcv(), the password, gcos and shell fields returned
by the getpwxxx() calls), and all file input are marked as
"tainted". Tainted data may not be used directly or indi�
rectly in any command that invokes a sub-shell, nor in any
command that modifies files, directories, or processes,
[...]
Read on to see how to untaint the data.
Gordon
> Sean
>
> Quoting Abe Loveless <[EMAIL PROTECTED]>:
>
> >
> > I'm working on a custom panel for the mkCDrec package.
> > http://mkcdrec.ota.be/project/index.html
> >
> > One of my sub-routines returns this error from the server-manager.
> >
> > <ERROR>
> > Software error:
> > Insecure dependency in system while running with -T switch at
> > /etc/e-smith/web/panels/manager/cgi-bin/mkcdrec line 278.
> >
> > For help, please send mail to the webmaster
> > ([EMAIL PROTECTED]), giving this error message and the time
> > and date of the error.
> > </ERROR>
> >
> >
> > The devinfo archive didn't return any results. (at lease "insecure
> > dependency" didn't)
> >
> > The forum's returned this thread:
> > http://www.e-smith.org/bboard//read.php?v=t&f=1&i=1235&t=1216
> >
> > The forum thread references an e-smith 4.0 bug.
> >
> >
> > The line referenced in the error is the following:
> > system ("/bin/rm -f /opt/utilities/mkcdrec/backup_archive/".
> > $iso) == 0
> > or die ("Error occurred while removing ". $iso ."\n");
> >
> > I'm trying to delete the backup iso image from my backup archive.
> >
> >
> > Any thoughts on what this error refers to, or where I can go to find the
> > answer?
> >
> > Thanks,
> > Abe
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.427 / Virus Database: 240 - Release Date: 12/6/2002
> >
> >
> >
> > --
> > Please report bugs to [EMAIL PROTECTED]
> > Please mail [EMAIL PROTECTED] (only) to discuss security issues
> > Support for registered customers and partners to [EMAIL PROTECTED]
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > Searchable archive at
> > http://www.mail-archive.com/devinfo%40lists.e-smith.org
> >
> >
>
>
>
>
> --
> Please report bugs to [EMAIL PROTECTED]
> Please mail [EMAIL PROTECTED] (only) to discuss security issues
> Support for registered customers and partners to [EMAIL PROTECTED]
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> Searchable archive at http://www.mail-archive.com/devinfo%40lists.e-smith.org
>
Gordon Rowell [EMAIL PROTECTED]
Director, Engineering
Network Server Solutions Group http://www.e-smith.com/
Mitel Networks Corporation http://www.mitel.com/smallbusiness
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Searchable archive at http://www.mail-archive.com/devinfo%40lists.e-smith.org
