Re: further adventures with taint

Wed, 27 Sep 2000 13:37:07 -0700 

At 11:52 AM -0700 9/27/2000, Doug MacEachern wrote:
>On Mon, 4 Sep 2000, Michael Blakeley wrote:
>
>>  I've been running with AP616 and Taint On for three days now, and it
>>  seems to have fixed my problems. I hope so. I really hope so.
>
>still looking good?  would be good to know if this isn't a problem on the
>mod_perl side :)

Well... there are still taint errors, but they're much less frequent. 
A grep over the past 30 days shows 5 errors:

[Fri Sep 22 05:24:55 2000] [error] Insecure dependency in require 
while running with -T switch at 
/usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145.
[Mon Sep 18 13:46:21 2000] [error] Insecure dependency in require 
while running with -T switch at (eval 258) line 3.
[Sat Sep 16 11:14:13 2000] [error] Insecure dependency in require 
while running with -T switch at 
/usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145.
[Fri Sep  1 13:05:50 2000] [error] Insecure dependency in require 
while running with -T switch at 
/usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145.
[Wed Aug 30 11:07:47 2000] [error] Insecure dependency in require 
while running with -T switch at 
/usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145.

The access logs show that we've called that routine 92 times during 
that period. An error rate of 5.4% isn't thrilling, but it's better 
than the 99% errors that I saw before applying AP616. It seems that 
before AP616, the server would run ok for a while, then all queries 
of this type would err. Now it seems to be more subtle - perhaps the 
patch causes Perl to clean up its error, so I only get one failure at 
a time.

I don't understand why it reports a line number in some cases, and 
the eval in others. The access log shows that all these taint errors 
accessed the same URI with similar inputs. Of course, pointer errors 
tend to exhibit this kind of unpredictable behavior, and AFAICT 
"taint" is just a flipped bit inside perl.

The line referenced above, BTW, is unexceptional to my eye:
        require Net::SMTP;

So there may still be a lurking post-AP616 bug or two. I'll certainly 
keep an eye on perl.com and try 5.6.1 when it's released. But I don't 
really suspect mod_perl at this point.

-- Mike

Reply via email to