[Catalyst] Taint mode -FormFu - Insecure dependency
Hi,
I'm using Catalyst with FormFu in Apach2 and have switched on the taint mode
in Apache config:
PerlTaintCheck on
Pages without a form are working without problems.
Now I have a simple contact form created with FormFu which works fine in
Catalyst Development Server.
But in Apache I get the following error:
[error] Caught exception in MyApp::Controller::Contact-index Insecure
dependency in require while running with -T switch at
/usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 371.
at /usr/local/share/perl/5.10.1/HTML/FormFu/Role/CreateChildren.pm line 136
at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179
Now I've modified the Util.pm so that I get a more detailed view on the
tainted variable:
if ( !exists $::INC{$class} ) {
#Added by myself:
if (tainted($class))
{
die This require is tainted: . $class;
}
eval { require $class }; #This is line 371
.
Now I get the following error message:
[error] Caught exception in MyApp::Controller::Contact-index This require
is tainted: HTML/FormFu/Element/Select.pm at
/usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 376.
at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179
I think, the problem is, that FormFu reads the .yml file and determines
which Modules to 'require'. Due to the require value is read from a file, I
get an Insecure Dependency Error.
One solution is to disable TaintMode, but I think this isn't recommended.
How can I solve this problem?
Sorry for my recently flood of questions but I can't find a solution by
googling.
Thanks a lot for your help!!
Stefan
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Taint mode -FormFu - Insecure dependency
On 13 September 2011 13:25, Stefan catal...@s.profanter.me wrote:
Hi,
I’m using Catalyst with FormFu in Apach2 and have switched on the taint mode
in Apache config:
PerlTaintCheck on
Pages without a form are working without problems.
Now I have a simple contact form created with FormFu which works fine in
Catalyst Development Server.
But in Apache I get the following error:
[error] Caught exception in MyApp::Controller::Contact-index Insecure
dependency in require while running with -T switch at
/usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 371.
at /usr/local/share/perl/5.10.1/HTML/FormFu/Role/CreateChildren.pm line 136
at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179
Now I’ve modified the Util.pm so that I get a more detailed view on the
tainted variable:
if ( !exists $::INC{$class} ) {
#Added by myself:
if (tainted($class))
{
die This require is tainted: . $class;
}
eval { require $class }; #This is line 371
…
Now I get the following error message:
[error] Caught exception in MyApp::Controller::Contact-index This require
is tainted: HTML/FormFu/Element/Select.pm at
/usr/local/share/perl/5.10.1/HTML/FormFu/Util.pm line 376.
at /usr/local/share/perl/5.10.1/HTML/FormFu/ObjectUtil.pm line 179
I think, the problem is, that FormFu reads the .yml file and determines
which Modules to ‘require’. Due to the require value is read from a file, I
get an Insecure Dependency Error.
One solution is to disable TaintMode, but I think this isn’t recommended.
I gave up using Taint several years ago, due to a number of Catalyst's
dependencies being incompatable (I can't remember which, now).
I'd be surprised if this is the only error you run into.
I'd recommend not just trying to switch TaintMode on under apache -
instead, if your application has a comprehensive test suite, run it
with Taint on - otherwise, completely reinstall all the cpan modules
you've already installed - this time with Taint mode forced on under
the install / test harness.
This will reduce the likelihood of you randomly hitting errors at runtime.
Carl
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Manual::Tutorial::01_Intro
Did you have ssh server started in VM? Yes. If you have one check firewall on VM. Where do I check the firewall on VM? What changes do I need to make? Thank you, Chris ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Manual::Tutorial::01_Intro
Which network type or you using for the VM (bridged vs. NAT vs. host only)? I have it set up as bridged If you type netstat -tupan | grep 22 in the VM console, do you get anything? (That should show if there is an SSH daemon on port 22.) tcp 0 0 0.0.0.0:22 0.0.0.0:*LISTEN 1153/sshd tcp6 0 0 :::22 :::*LISTEN 1153/sshd Can the server ping the outside world? For example, if you type ping www.google.com on the VM console, does it work? No I can't. I get ping: unknown host www.google.com And you are sure that you are using the IP of the guest VM (get from ifconfig on the guest VM console), not the host, right? correct. ifconfig returns int addr:127.0.0.1 The downloadable VM images shouldn't have any sort of iptables firewalling enabled, so that shouldln't be an issue unless you enabled something there. Thanks ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
RE: [Catalyst] RE: DBIC - JSON conversion for AJAX
Eden Then if you ask for a Content-Type of application/json you'll get
JSON from that in your response.
I would do that by adding to the REST controller:
sub end :Private {
my ($self, $c) = @_;
$c-forward(View::JSON);
}
Is that correct?
-Original Message-
From: Eden Cardim [mailto:edencar...@gmail.com]
Sent: 12 September 2011 21:31
To: The elegant MVC web framework
Subject: Re: [Catalyst] RE: DBIC - JSON conversion for AJAX
Roland == Roland Philibert rphilib...@aptina.com writes:
Roland Thanks all for your suggestions so far. I was I guess on
Roland the right track with JSON:XS but I had also seen REST but so
Roland far I am still unsure as what the best way to go
Catalyst::Controller::REST + DBIx::Class::ResultClass::HashRefInflator
works pretty well:
$self-status_ok(
$c,
entity = $rs-search({}, {
result_class = 'DBIx::Class::ResultClass::HashRefInflator'
})-next
);
Then if you ask for a Content-Type of application/json you'll get JSON
from that in your response.
--
Eden Cardim
Code Monkeyhttp://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment
platform?
http://blog.edencardim.com/
http://www.shadowcat.co.uk/servers/
http://twitter.com/#!/edenc
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Aptina (UK) Limited, Century Court, Millennium Way, Bracknell, Berkshire, RG12
2XT. Registered in England No. 06570543.
This e-mail and any attachments contain confidential information and are solely
for the review and use of the intended recipient. If you have received this
e-mail in error, please notify the sender and destroy this e-mail and any
copies.
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Manual::Tutorial::01_Intro
On Tue, Sep 13, 2011 at 11:45 AM, Chris Stinemetz chrisstinem...@gmail.comwrote: Which network type or you using for the VM (bridged vs. NAT vs. host only)? I have it set up as bridged If you type netstat -tupan | grep 22 in the VM console, do you get anything? (That should show if there is an SSH daemon on port 22.) tcp 0 0 0.0.0.0:22 0.0.0.0:*LISTEN 1153/sshd tcp6 0 0 :::22 :::*LISTEN 1153/sshd Can the server ping the outside world? For example, if you type ping www.google.com on the VM console, does it work? No I can't. I get ping: unknown host www.google.com And you are sure that you are using the IP of the guest VM (get from ifconfig on the guest VM console), not the host, right? correct. ifconfig returns int addr:127.0.0.1 That address should be assigned to the lo interface. Do you see an eth0 interface? If not, we need to figure out why it's missing or not up. Maybe ping me on IRC #catalyst if that's an option for you. The fact that you can't ping www.google.com does make it seem like you might be having an issue with the network setup... in theory, that should work. Also, it might be worth disabling any firewall you have on the *host* machine and rebooting the VM. Thanks, Kennedy The downloadable VM images shouldn't have any sort of iptables firewalling enabled, so that shouldln't be an issue unless you enabled something there. Thanks ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Manual::Tutorial::01_Intro
On 13/09/2011 16:45, Chris Stinemetz wrote: If you type netstat -tupan | grep 22 in the VM console, do you get anything? (That should show if there is an SSH daemon on port 22.) tcp 0 0 0.0.0.0:22 0.0.0.0:*LISTEN 1153/sshd tcp6 0 0 :::22 :::*LISTEN 1153/sshd Do you have a DHCP server on your network ? That output suggests to me that no IP address has been assigned to eth0. The VM uses DHCP to assign an IP address. In NAT'd mode the VM host software, such as VMPlayer or VirtualBox, will use it's own internal DHCP server but in bridged mode you will need one available on the local network. Simon. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
RE: [Catalyst] Simple tutorials
I strongly recommend the Catalyst Tutorial. It is denser than I would have liked when figuring Catalyst out, and sometimes digresses about outdated versions of Catalyst, other than that my biggest gripe is that it completely ignores DBI Models, which means that if you don't know DBIx::Class coming in, prefer another ORM, or prefer SQL to ORM you have to put a lot of effort into DBIx::Class which is very distracting from understanding the rest of Catalyst. I also recommend becoming familiar with TemplateToolkit and Moose before starting work on Catalyst, just so that you have less to grasp while working through the Catalyst/DBIx::Class Tuturial. I've written an auxilliary document on using DBI models (the version up is about half complete. A new version should be going up by the end of the month), you can find it at http://brainbuz.org/techinfo/Catalyst-Model-Simple-Tutorial.htmlhttp://brainbuz.org/techinfo/Catalyst-Model-Simple-Tutorial.html or on github at https://github.com/brainbuz/Catalyst--Model--Simple--Tutorial. From: Chris Stinemetz [chrisstinem...@gmail.com] Sent: Sunday, September 11, 2011 4:52 PM To: catalyst@lists.scsys.co.uk Subject: [Catalyst] Simple tutorials Hello, I just finished installing catalyst along with strawberry perl. Would someone please recommend a good tutorial to get my feet wet? Thank you, Chris ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Manual::Tutorial::01_Intro
Thanks everyone that helped. I was able to get it to work, although I had to use VMware instead of Virtualbox to get bridged connection to work. I must have been configuring virtualbox incorrectly. At any rate, it works and I can start the tutorial! Thanks, Chris ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Manual::Tutorial::01_Intro
On Tue, Sep 13, 2011 at 5:03 PM, Chris Stinemetz chrisstinem...@gmail.comwrote: Thanks everyone that helped. I was able to get it to work, although I had to use VMware instead of Virtualbox to get bridged connection to work. I must have been configuring virtualbox incorrectly. At any rate, it works and I can start the tutorial! Thanks, Chris Hi Chris, Thanks for the update. I'll probably post an image with a lightweight X Windows setup so people can do it totally local to the VM console even if they can't get any network outside of the VM working... hopefully that will help in cases where the network stuff proves difficult. That being said, I'm glad you got it working! :-) BTW, let me know if you came away with any tips that other folks might benefit from (the whole Tutorial VM stuff is new, so definitely open to suggestions). Thanks! Kennedy ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] perldoc install on VM
I'm trying to install perldoc onto the VM as described in the tutorial. But I am not having any success. Bellow is the end result. Thanks in advance! root@catalyst:~# apt-get install perl-doc Reading package lists... Done Building dependency tree Reading state information... Done Package perl-doc is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source However the following packages replace it: perl E: Package 'perl-doc' has no installation candidate root@catalyst:~# ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] perldoc install on VM
On Wed, Sep 14, 2011 at 07:22, Chris Stinemetz chrisstinem...@gmail.com wrote: I'm trying to install perldoc onto the VM as described in the tutorial. But I am not having any success. Bellow is the end result. Thanks in advance! root@catalyst:~# apt-get install perl-doc Reading package lists... Done Building dependency tree Reading state information... Done Package perl-doc is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source However the following packages replace it: perl E: Package 'perl-doc' has no installation candidate root@catalyst:~# Check output of: apt-cache policy perl-doc You may need to configure your sources list (/etc/apt/sources.list). best regards Kamen ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
