At 11:03 PM +0000 7/26/2000, Jeremy Howard wrote:
>  > I see intermittent Apache error_log entries like:
>>
>>  [Mon Jul 24 04:08:02 2000] [error] Insecure dependency in require
>>  while running with -T switch at (eval 85) line 3.
>>  ...
>>  I suspect MIME::Lite, but the code won't work if I remove it
>
>Yes, MIME::Lite needs special treatment to be taint-safe. Get the latest
>version from CPAN, then do a 'perldoc taint'. I submitted a patch to the
>author which he has documented, that enables a taint-safe mode.

cpan> i MIME::Lite 
Module id = MIME::Lite
     DESCRIPTION  Single module for composing simple MIME msgs
     CPAN_USERID  ERYQ (Eryq <[EMAIL PROTECTED]>)
     CPAN_VERSION 2.101
     CPAN_FILE    E/ER/ERYQ/MIME-Lite-2.101.tar.gz
     DSLI_STATUS  RdpO (released,developer,perl,object-oriented)
     MANPAGE      MIME::Lite - low-calorie MIME generator
     INST_FILE    /usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm
     INST_VERSION 2.101

$ perldoc taint
No documentation found for "taint".

$ perldoc MIME::Lite
      Version 1.142
          Added new, taint-safe invocation of "sendmail", one
          which also sets up the `-f' option.  Unfortunately, I
          couldn't make this automatic:  the change could have
          broken a lot of code out there which used
          send_by_sendmail() with unusual "sendmail" variants. So
          you'll have to configure "send" to use the new
          mechanism:

              MIME::Lite->send('sendmail');       ### no args!

          Thanks to Jeremy Howard for suggesting these features.

But I'm using MIME::Lite->send("smtp", "localhost"), which the author 
describes as taint-safe. It certainly should be taint-safe, since the 
message is sent out via socket communication in Net::SMTP and 
friends. I'm using it primarily so that I can munge headers freely - 
postfix understandably doesn't allow complete freedom from the 
command line.

>Apache always prints the line number and module the error occurs on when
>I've had taint issues. I don't know why it doesn't for you... maybe you
>just need to add:
>use Apache qw(warn);
>at the start of your modules?

I'll try that, but Apache::warn is supposed to override CORE::warn. If I put
        warn "this is a warning";
in my code, it works as documented.

>I suggest rereading perldoc perlsec a few more times--there's a lot of
>info in there and it took me a while for it to sink in. Setting your
>ENV{...} safely isn't enough--any unsafe function (such as open() used by
>MIME::Lite) must have its input data cleaned unless it's input data is a
>constant.

I'm only passing scalar text to MIME::Lite - no file attachments, so 
it shouldn't open(). Anyway, if it were, why don't I see "Insecure 
dependency in open" instead of "...in require"?

Thanks for the ideas, though.

-- Mike

Reply via email to