You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Michael Blakeley <mi...@blakeley.com> on 2000/07/26 00:58:15 UTC
further adventures with taint
Solaris 2.6, Perl 5.6, apache 1.3.9, mod_perl 1.24.
I see intermittent Apache error_log entries like:
[Mon Jul 24 04:08:02 2000] [error] Insecure dependency in require
while running with -T switch at (eval 85) line 3.
Here's what perldiag says:
Insecure dependency in %s
(F) You tried to do something that the tainting
mechanism didn't like. The tainting mechanism is turned
on when you're running setuid or setgid, or when you
specify -T to turn it on explicitly. The tainting
mechanism labels all data that's derived directly or
indirectly from the user, who is considered to be
unworthy of your trust. If any such data is used in a
"dangerous" operation, you get this error. See the
perlsec manpage for more information.
OK, I (normally) run with PerlTaintCheck on, and I've read perlsec.
My PATH is ''. How can I find out where this insecure dependency
_is_, so I can turn taint back on? The timestamp tells me which
script failed, and it uses a whole slew of modules.
use strict;
use Apache::Constants qw/:http/;
use LWP;
use tuner;
use MIME::Lite;
use HTML::Parse;
I suspect MIME::Lite, but the code won't work if I remove it. How can
I be sure if it's to blame, os I can attempt to patch it (or its
dependencies)? Is there anything like a Taint::Carp, that'd give me a
full back-trace from the insecure code (and works under mod_perl)?
Running with PERL5OPT=-d is no good; the problem never shows up. perl
-cwT shows nothing (which confirms that it's a runtime error, I
suppose).
The Guide, perlrun, perlsec, and the perl books I've read are... a
little weak on Taint debugging techniques. If I can ever work through
the problems I'm having, I'll be delighted to contribute some docs on
this.
I'd really like to run with PerlTaintCheck on - any ideas?
thanks,
-- Mike
Re: further adventures with taint
Posted by Michael Blakeley <mi...@blakeley.com>.
At 11:52 AM -0700 9/27/2000, Doug MacEachern wrote:
>On Mon, 4 Sep 2000, Michael Blakeley wrote:
>
>> I've been running with AP616 and Taint On for three days now, and it
>> seems to have fixed my problems. I hope so. I really hope so.
>
>still looking good? would be good to know if this isn't a problem on the
>mod_perl side :)
Well... there are still taint errors, but they're much less frequent.
A grep over the past 30 days shows 5 errors:
[Fri Sep 22 05:24:55 2000] [error] Insecure dependency in require
while running with -T switch at
/usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145.
[Mon Sep 18 13:46:21 2000] [error] Insecure dependency in require
while running with -T switch at (eval 258) line 3.
[Sat Sep 16 11:14:13 2000] [error] Insecure dependency in require
while running with -T switch at
/usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145.
[Fri Sep 1 13:05:50 2000] [error] Insecure dependency in require
while running with -T switch at
/usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145.
[Wed Aug 30 11:07:47 2000] [error] Insecure dependency in require
while running with -T switch at
/usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145.
The access logs show that we've called that routine 92 times during
that period. An error rate of 5.4% isn't thrilling, but it's better
than the 99% errors that I saw before applying AP616. It seems that
before AP616, the server would run ok for a while, then all queries
of this type would err. Now it seems to be more subtle - perhaps the
patch causes Perl to clean up its error, so I only get one failure at
a time.
I don't understand why it reports a line number in some cases, and
the eval in others. The access log shows that all these taint errors
accessed the same URI with similar inputs. Of course, pointer errors
tend to exhibit this kind of unpredictable behavior, and AFAICT
"taint" is just a flipped bit inside perl.
The line referenced above, BTW, is unexceptional to my eye:
require Net::SMTP;
So there may still be a lurking post-AP616 bug or two. I'll certainly
keep an eye on perl.com and try 5.6.1 when it's released. But I don't
really suspect mod_perl at this point.
-- Mike
Re: further adventures with taint
Posted by Doug MacEachern <do...@covalent.net>.
On Mon, 4 Sep 2000, Michael Blakeley wrote:
> I've been running with AP616 and Taint On for three days now, and it
> seems to have fixed my problems. I hope so. I really hope so.
still looking good? would be good to know if this isn't a problem on the
mod_perl side :)
Re: further adventures with taint
Posted by Michael Blakeley <mi...@blakeley.com>.
At 3:58 PM -0700 7/25/2000, Michael Blakeley wrote:
>Solaris 2.6, Perl 5.6, apache 1.3.9, mod_perl 1.24.
>
>I see intermittent Apache error_log entries like:
>
>[Mon Jul 24 04:08:02 2000] [error] Insecure dependency in require
>while running with -T switch at (eval 85) line 3.
>
>OK, I (normally) run with PerlTaintCheck on, and I've read perlsec.
>My PATH is ''. How can I find out where this insecure dependency
>_is_, so I can turn taint back on? The timestamp tells me which
>script failed, and it uses a whole slew of modules.
> use strict;
> use Apache::Constants qw/:http/;
> use LWP;
> use tuner;
> use MIME::Lite;
> use HTML::Parse;
>
>I suspect MIME::Lite, but the code won't work if I remove it. How
>can I be sure if it's to blame, os I can attempt to patch it (or its
>dependencies)? Is there anything like a Taint::Carp, that'd give me
>a full back-trace from the insecure code (and works under mod_perl)?
>
>Running with PERL5OPT=-d is no good; the problem never shows up.
>perl -cwT shows nothing (which confirms that it's a runtime error, I
>suppose).
>
>The Guide, perlrun, perlsec, and the perl books I've read are... a
>little weak on Taint debugging techniques. If I can ever work
>through the problems I'm having, I'll be delighted to contribute
>some docs on this.
I think I've worked through the problem. Alas, I haven't uncovered
any cool new debugging techniques to document for the list. Instead,
I lucked into a fix.
http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-07/msg00599.html
http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-08/msg00126.html
Basically it seems that AP616 (ActiveState's mostly-Win32 patch to
date) is a pretty good 5.6.1 "release candidate" for Solaris and
Linux, too. It fixes several known bugs in 5.6.0 (none of them are
directly Taint-related, but...).
I did have to rebuild perl, mod_perl, and apache - but I'm used to
that. Also, AP616 added a test for Sys::Syslog, which failed on my
Solaris system. 5.6.0 didn't have this test, and I don't use
Sys::Syslog, so I just removed the test. Also, perl -V now returns
some ActiveState info (which I suppose you could remove).
I've been running with AP616 and Taint On for three days now, and it
seems to have fixed my problems. I hope so. I really hope so.
-- Mike