Insecure dependency error in Taint mode

Wed, 06 Jul 2005 17:21:50 -0700 

Greets,
I've got a whole bunch of stuff in Kinosearch rewritten in Inline C, and it's going great! But there's a snag. When I run my cgi script in with -T to enable taint mode, Apache bombs out with an internal server error: 


[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23] Insecure  
dependency in require while running with -T switch at blib/lib/ 
Inline.pm (autosplit into blib/lib/auto/Inline/find_temp_dir.al) line  
1247.
[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23] BEGIN failed-- 
compilation aborted at /usr/local/lib/perl5/site_perl/5.8.5/Search/ 
Kinosearch/KSearch/ResultSet.pm line 1088.
[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23] Compilation  
failed in require at /usr/local/lib/perl5/site_perl/5.8.5/Search/ 
Kinosearch/QueryParser.pm line 6.
[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23] BEGIN failed-- 
compilation aborted at /usr/local/lib/perl5/site_perl/5.8.5/Search/ 
Kinosearch/QueryParser.pm line 6.
[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23] Compilation  
failed in require at (eval 3) line 3.
[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23]  
\t...propagated at /usr/local/lib/perl5/5.8.5/base.pm line 85.
[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23] BEGIN failed-- 
compilation aborted at /usr/local/lib/perl5/site_perl/5.8.5/Search/ 
Kinosearch/KSearch.pm line 6.
[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23] Compilation  
failed in require at /usr/local/www/cgi-bin/uscon_search.cgi line 9.
[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23] BEGIN failed-- 
compilation aborted at /usr/local/www/cgi-bin/uscon_search.cgi line 9.
[Wed Jul 06 17:20:37 2005] [error] [client 24.21.47.23] Premature end  
of script headers: uscon_search.cgi



If I have done what I intended to do, no information from a web form  
makes it into the C portion of the Kinosearch engine.  The idea was  
that the search query that you enter determines the data that gets  
sucked off disk and chewed by Inline C, but the formdata itself stays  
in Perl, making it a lot harder to exploit any security holes.   It's  
possible that I've overlooked something, but is there another  
explanation for the error?


Marvin Humphrey
Rectangular Research
http://www.rectangular.com/























					Reply via email to