> -----Original Message-----
> From: Perrin Harkins [mailto:[EMAIL PROTECTED] 
> Sent: 30 March 2007 17:19
> To: Shah, Sagar: IT (LDN)
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; 
> modperl@perl.apache.org; Client Research Development
> Subject: Re: "Insecure dependency in eval while running setgid" error
> 
> 
> On 3/30/07, [EMAIL PROTECTED] 
> <[EMAIL PROTECTED]> wrote:
> > The untainting itself however happens just before the error 
> is thrown, 
> > so think it's more about estabilishing in precisely which 
> conditions 
> > the m// operator loses it's ability to untaint and coming 
> up with the 
> > most trivial demonstration of that we can.
> 
> This might be a silly question, but what makes you think this 
> has to do with tainting?  If it was a taint problem, wouldn't 
> it say "Insecure dependency in eval while running with -T 
> switch"?  It's complaining about eval while running setgid.  
> (I know you said you aren't running setgid, but I think you 
> should be trying to figure out why it thinks it's setgid, not 
> why something is tainted.)


I think the text of the error message is getting confused because perl
thinks it's running setgid when it isn't (that's a separate and less
important issue that I think a couple of people have pointed out to get
me on the right track). Earlier this week I and a colleage  were looking
at the perl code and I think the suffix of that error message is just
decided by a block of tests not by what rows the taint error.

The reason why I think it's an issue with tainting is simply because:
A) It's an Insecure Depdencency error
B) As I saw with the debugging output that I sent to the mailing list
yesterday, the time when it goes wrong is when the m/(.*)/ line doesn't
untaint a piece of text which it has untainted lots of times before just
fine. Surely that should be a deterministic and repeatable action. i.e.
the output should always be the same if the input is. (assuming
controlled conditions with the regex engine's options)

It's certainly not an error with the specific code that is being evaled
or anything that code is doing. I've convinced myself of that pretty
reasonably. The fact that I think I haven't hit the error before is that
using a piece of tainted data in most operations doesn't result in a
warning, it's only certain operations of which eval is one of.

On Monday we're going to see if we can repeat the problem in our other
mod_perl page just by adding some debugging to that to see if the stuff
we think we're successfully untainting is actually untainted  every
time, or only most of the time. This'll be an interesting thing to
report back on..

------------------------------------------------------------------------
For more information about Barclays Capital, please visit our web site at 
http://www.barcap.com.

Internet communications are not secure and therefore the Barclays Group does 
not accept legal responsibility for the contents of this message.  Although the 
Barclays Group operates anti-virus programmes, it does not accept 
responsibility for any damage whatsoever that is caused by viruses being 
passed.  Any views or opinions presented are solely those of the author and do 
not necessarily represent those of the Barclays Group.  Replies to this email 
may be monitored by the Barclays Group for operational or business reasons.
------------------------------------------------------------------------

Reply via email to