Re: bogus taint error?

Sun, 02 Jul 2000 18:11:40 -0700 

There is a remote possibility (I would have to test this at work) that your 
command-line testing will never show a taint problem.

Because you are typing all the Perl commands in STDIN, and because STDIN, 
is by its very definition tainted, you get a security paradox and Perl may 
be turning off taintmode entirely to avoid this.

If you really want to test this at the command line. Make the script. And 
then run it from the command line as the user the web server runs as (Not you).

Also, is this really a mod_perl problem? Have you tried running the program 
using normal CGI/Perl?

Also, scripts that run under Apache::PerlRun tend to be messy. So if you 
have many PerlRun scripts on a server, there is some likelihood that a 
given foo.pl may be screwy if you have more than one as a required library.

One thing that comes to mind is that many old CGI/Perl scripts tend to use 
a "setup.pl" file that is required. This will break in mod_perl because 
setup.pl will be loaded into %INC and never loaded again for other scripts 
(as that "library" will be considered as cached).

Although I seem to remember Apache::PerlRun treating required libraries 
differently (eg resetting %INC after the script runs).

Later,
   Gunther

At 03:37 PM 7/2/00 -0700, Michael Blakeley wrote:

>At 2:00 PM -0700 7/2/2000, Michael Blakeley wrote:
>>With perl 5.6.0, Solaris 2.6, apache 1.3.9, and mod_perl 1.24, I'm seeing 
>>intermittent taint errors like
>>[Sat Jul  1 18:50:13 2000] [error] PerlRun: `Insecure dependency in 
>>require while running with -T switch at /foo.pl line 5.
>>
>>head -6 foo.pl shows:
>>
>>#!perl
>>
>>use Apache::Constants qw/:http/;
>>use LWP;
>>use MIME::Lite;
>>use strict;
>>
>>Seeing http://forum.swarthmore.edu/epigone/modperl/luthesmex I thought 
>>that moving 'use strict' to the top might help:
>>
>>#!perl
>>
>>use strict;
>>use Apache::Constants qw/:http/;
>>use LWP;
>>use MIME::Lite;
>>
>>It didn't help.
>
>Scratch the rest of that. The line number did move with MIME::Lite after 
>all. But... I'm still hitting the taint errors. The weird thing is that I 
>can do
>
>perl -Tw
>use strict;
>use Apache::Constants qw/:http/;
>use LWP;
>use MIME::Lite;
><ctrl-D>
>
>all I like, and never see the taint error. Ideas?
>
>thanks,
>-- Mike

Reply via email to