Re: further adventures with taint

Mon, 04 Sep 2000 15:22:43 -0700 

At 3:58 PM -0700 7/25/2000, Michael Blakeley wrote:
>Solaris 2.6, Perl 5.6, apache 1.3.9, mod_perl 1.24.
>
>I see intermittent Apache error_log entries like:
>
>[Mon Jul 24 04:08:02 2000] [error] Insecure dependency in require 
>while running with -T switch at (eval 85) line 3.
>
>OK, I (normally) run with PerlTaintCheck on, and I've read perlsec. 
>My PATH is ''. How can I find out where this insecure dependency 
>_is_, so I can turn taint back on? The timestamp tells me which 
>script failed, and it uses a whole slew of modules.
>       use strict;
>       use Apache::Constants qw/:http/;
>       use LWP;
>       use tuner;
>       use MIME::Lite;
>       use HTML::Parse;
>
>I suspect MIME::Lite, but the code won't work if I remove it. How 
>can I be sure if it's to blame, os I can attempt to patch it (or its 
>dependencies)? Is there anything like a Taint::Carp, that'd give me 
>a full back-trace from the insecure code (and works under mod_perl)?
>
>Running with PERL5OPT=-d is no good; the problem never shows up. 
>perl -cwT shows nothing (which confirms that it's a runtime error, I 
>suppose).
>
>The Guide, perlrun, perlsec, and the perl books I've read are... a 
>little weak on Taint debugging techniques. If I can ever work 
>through the problems I'm having, I'll be delighted to contribute 
>some docs on this.

I think I've worked through the problem. Alas, I haven't uncovered 
any cool new debugging techniques to document for the list. Instead, 
I lucked into a fix.

http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-07/msg00599.html
http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-08/msg00126.html

Basically it seems that AP616 (ActiveState's mostly-Win32 patch to 
date) is a pretty good 5.6.1 "release candidate" for Solaris and 
Linux, too. It fixes several known bugs in 5.6.0 (none of them are 
directly Taint-related, but...).

I did have to rebuild perl, mod_perl, and apache - but I'm used to 
that. Also, AP616 added a test for Sys::Syslog, which failed on my 
Solaris system. 5.6.0 didn't have this test, and I don't use 
Sys::Syslog, so I just removed the test. Also, perl -V now returns 
some ActiveState info (which I suppose you could remove).

I've been running with AP616 and Taint On for three days now, and it 
seems to have fixed my problems. I hope so. I really hope so.

-- Mike

Reply via email to