> I see intermittent Apache error_log entries like:
>
> [Mon Jul 24 04:08:02 2000] [error] Insecure dependency in require
> while running with -T switch at (eval 85) line 3.
> ...
> I suspect MIME::Lite, but the code won't work if I remove it
Yes, MIME::Lite needs special treatment to be taint-safe. Get the latest
version from CPAN, then do a 'perldoc taint'. I submitted a patch to the
author which he has documented, that enables a taint-safe mode.
Apache always prints the line number and module the error occurs on when
I've had taint issues. I don't know why it doesn't for you... maybe you
just need to add:
use Apache qw(warn);
at the start of your modules?
I suggest rereading perldoc perlsec a few more times--there's a lot of
info in there and it took me a while for it to sink in. Setting your
ENV{...} safely isn't enough--any unsafe function (such as open() used by
MIME::Lite) must have its input data cleaned unless it's input data is a
constant. To clean the input data you can use (off the top of my head):
$dirtyData =~ /^([^<>|]*)$}/;
if ($1) {
my $cleanData = $1;
# do stuff with $cleanData in unsafe functions
} else {
# handle error nicely
}
The regex here detects obvious problem characters in Unix. A more robust
version would specifically check for safe chars, rather than removing
unsafe chars.
--
Jeremy Howard
[EMAIL PROTECTED]
FastMail--Sign up at http://fastmail.fm
