Hi Josh,
Thanks for your input - I've just about come to the same point as well,
but don't know how to "fix" either :-/
Kim
When the taint mode ("-T") is in effect, the "." directory is
removed
from @INC, and the environment variables "PERL5LIB" and
"PERLLIB" are
ignored by Perl. You can still adjust @INC from outside the
program by
using the "-I" command line option as explained in perlrun. The two
environment variables are ignored because they are obscured, and
a user
running a program could be unaware that they are set, whereas
the "-I"
option is clearly visible and therefore permitted.
Another way to modify @INC without modifying the program, is to
use the
"lib" pragma, e.g.:
perl -Mlib=/foo program
The benefit of using "-Mlib=/foo" over "-I/foo", is that the former
will automagically remove any duplicated directories, while the
later
will not.
Note that if a tainted string is added to @INC, the following
problem
will be reported:
Insecure dependency in require while running with -T switch
ESC[1mCleaning Up Your PathESC[0m
For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'}
to a
known value, and each directory in the path must be absolute and
non-
writable by others than its owner and group. You may be
surprised to
get this message even if the pathname to your executable is fully
qualified. This is ESC[4mnotESC[24m generated because you
didn't supply a full path
to the program; instead, it's generated because you never set
your PATH
environment variable, or you didn't set it to something that was
safe.
Because Perl can't guarantee that the executable in question isn't
itself going to turn around and execute some other program that is
dependent on your PATH, it makes sure you set the PATH.
On 2011-01-18 09:47, Josh Narins wrote:
From what I understand of Taint (-T) mode, this has nothing to do with
directory permissions, and everything to do with trying to chdir to a variable
(representing a directory) that has been marked as being unsafe, i.e. from user
input.
See "perldoc perldiag" to find the error message, which then leads you to "perldoc
perlsec" for more about taint mode.
That said, I don't know, inside RT, the appropriate way to deal with this.
Josh Narins
Director of Application Development
SeniorBridge
845 Third Ave
7th Floor
New York, NY 10022
Tel: (212) 994-6194
Mobile: (917) 488-6248
Fax: (212) 994-4260
[email protected]
SeniorBridge
Managing Complex Chronic Care
http://www.seniorbridge.com
SeniorBridge Statement of Confidentiality: The contents of this email message
are intended for the exclusive use of the addressee(s) and may contain
confidential or privileged information. Any dissemination, distribution or
copying of this email by an unintended or mistaken recipient is strictly
prohibited. In said event, kindly reply to the sender and destroy all entries
of this message and any attachments from your system. Thank you.-----Original
Message-----
Fr
