At 11:03 PM +0000 7/26/2000, Jeremy Howard wrote:
> > I see intermittent Apache error_log entries like:
>>
>> [Mon Jul 24 04:08:02 2000] [error] Insecure dependency in require
>> while running with -T switch at (eval 85) line 3.
>> ...
>> I suspect MIME::Lite, but the code won't work if I remove it
>
>Yes, MIME::Lite needs special treatment to be taint-safe. Get the latest
>version from CPAN, then do a 'perldoc taint'. I submitted a patch to the
>author which he has documented, that enables a taint-safe mode.
cpan> i MIME::Lite
Module id = MIME::Lite
DESCRIPTION Single module for composing simple MIME msgs
CPAN_USERID ERYQ (Eryq <[EMAIL PROTECTED]>)
CPAN_VERSION 2.101
CPAN_FILE E/ER/ERYQ/MIME-Lite-2.101.tar.gz
DSLI_STATUS RdpO (released,developer,perl,object-oriented)
MANPAGE MIME::Lite - low-calorie MIME generator
INST_FILE /usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm
INST_VERSION 2.101
$ perldoc taint
No documentation found for "taint".
$ perldoc MIME::Lite
Version 1.142
Added new, taint-safe invocation of "sendmail", one
which also sets up the `-f' option. Unfortunately, I
couldn't make this automatic: the change could have
broken a lot of code out there which used
send_by_sendmail() with unusual "sendmail" variants. So
you'll have to configure "send" to use the new
mechanism:
MIME::Lite->send('sendmail'); ### no args!
Thanks to Jeremy Howard for suggesting these features.
But I'm using MIME::Lite->send("smtp", "localhost"), which the author
describes as taint-safe. It certainly should be taint-safe, since the
message is sent out via socket communication in Net::SMTP and
friends. I'm using it primarily so that I can munge headers freely -
postfix understandably doesn't allow complete freedom from the
command line.
>Apache always prints the line number and module the error occurs on when
>I've had taint issues. I don't know why it doesn't for you... maybe you
>just need to add:
>use Apache qw(warn);
>at the start of your modules?
I'll try that, but Apache::warn is supposed to override CORE::warn. If I put
warn "this is a warning";
in my code, it works as documented.
>I suggest rereading perldoc perlsec a few more times--there's a lot of
>info in there and it took me a while for it to sink in. Setting your
>ENV{...} safely isn't enough--any unsafe function (such as open() used by
>MIME::Lite) must have its input data cleaned unless it's input data is a
>constant.
I'm only passing scalar text to MIME::Lite - no file attachments, so
it shouldn't open(). Anyway, if it were, why don't I see "Insecure
dependency in open" instead of "...in require"?
Thanks for the ideas, though.
-- Mike
