Patrick LeBoutillier wrote:
>
> Hi all (but mostly Brian),
>
> Whan running Inline::Java with UNTAINT, I came across this kind of error.
<INTRO>
Inline has 2 modes for dealing with '-T': 'UNTAINT' and 'SAFEMODE'.
UNTAINT mode automatically turns on SAFEMODE. To defeat '-T' insecurely,
you need to say:
use Inline qw(Untaint Unsafe);
</INTRO>
The purpose of UNTAINT is to blindy defeat all taint checks. The purpose
of SAFEMODE is to try to supply some measure of security. UNTAINT is
relatively easy. SAFEMODE is a can of worms. My rule of thumb is to wait
until somebody brings up a security concern, and try to deal with it in
a sane way. You may be able to use the Safe module, but I think there
are known holes in that. Sometimes the best thing to do is croak,
especially if the program is being run as root. I'm no security expert,
so use your best judgment and make sure that the size of your disclaimer
is inversely proportionate to that of your efforts. ;)
>
> Insecure directory in $ENV{PATH} while running with -T switch at
> /usr/local/perl56/lib/perl5/5.6.0/Cwd.pm line 85, <DATA> line 310.
>
> Is this an error that I should try to overcome? I think it means that the
> users PATH is insecure, (i.e. contains directories that can be written to by
> others), and I dont think there's much the application can do about that...
Can't you $ENV{PATH}=join ':', grep {not bad} split ':', $ENV{PATH}; ?
>
> This error comes from the fact that Cwd::cwd() in fact uses `pwd`, which use
> PATH. I also look at PATH to call 'make' and to locate use the Java
> binaries.
>
> I has able to bypass the error by dissecting PATH and finding the binary I'm
> looking for and calling it with an absolute path. I don't get the error, but
> it's not more secure...
Inline::Java rocks! Don't get too caught up in this stuff. All will
mature in time. I would just concentrate on fixing the Windows buglets
and getting your stuff out there.
Cheers, Brian
--
perl -le 'use Inline C=>q{SV*JAxH(char*x){return newSVpvf
("Just Another %s Hacker",x);}};print JAxH+Perl'
