You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Mike Cardwell <mo...@blubbernet.com> on 2005/05/21 12:10:59 UTC

Problem with taint

Hi,

I installed the new release of ModPerl2 today. I've not used any of the
betas previously so am not sure if the problem is specific to this
version or not. In my PerlResponseHandler I have the following code:

sub handler {
   my $r = shift;
   my( $path ) = $r->filename()=~/^(.*)$/;
   eval{ require $path };
   $r->content_type('text/plain');
   if( $@ ){
      $r->print($@) if $@;
   } else {
      $r->print("Required $path success");
   }
   return Apache2::Const::OK();
}

I get the following message printed out:

"Insecure dependency in eval while running setgid at
/var/www/devel/perl_modules/MyApache/Handler.pm"

Why? Everything is untainted... I'm not using suexec. I'm using
apache2-mpm-fork if that makes any difference, although I doubt it does.

I can require the module from a script using PerlRequire fine, however I
need to be able to dynamically require modules inside my
PerlResponseHandler...

Thanks,
Mike

-- 
Digital photo printing - http://www.fotoserve.com/

Re: Problem with taint

Posted by Stas Bekman <st...@stason.org>.

Mike Cardwell wrote:
> Hi,
> 
> I installed the new release of ModPerl2 today. I've not used any of the
> betas previously so am not sure if the problem is specific to this
> version or not. In my PerlResponseHandler I have the following code:
> 
> sub handler {
>    my $r = shift;
>    my( $path ) = $r->filename()=~/^(.*)$/;
>    eval{ require $path };
>    $r->content_type('text/plain');
>    if( $@ ){
>       $r->print($@) if $@;
>    } else {
>       $r->print("Required $path success");
>    }
>    return Apache2::Const::OK();
> }
> 
> I get the following message printed out:
> 
> "Insecure dependency in eval while running setgid at
> /var/www/devel/perl_modules/MyApache/Handler.pm"
> 
> Why? Everything is untainted... I'm not using suexec.  I'm using
> apache2-mpm-fork if that makes any difference, although I doubt it does.

You've untainted $path, but other things may still be tainted. e.g. @INC. 
 From perlsec.pod:

       Note that if a tainted string is added to @INC, the following
       problem will be reported:

          Insecure dependency in require while running with -T switch

not exactly the same, but probably is.

see for example how we untaint @INC in Apache-Test:

# Temporarily untaint PATH
sub untaint_path {
     my $path = shift;
     ($path) = ( $path =~ /(.*)/ );
     # win32 uses ';' for a path separator, assume others use ':'
     my $sep = WIN32 ? ';' : ':';
     # -T disallows relative and empty directories in the PATH
     return join $sep, grep !/^(\.|$)/, split /$sep/, $path;
}

> I can require the module from a script using PerlRequire fine, however I
> need to be able to dynamically require modules inside my
> PerlResponseHandler...




-- 
__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com