Tainted @INC

[Dave Jenkins <da...@silk-newmedia.com>]

Hi,

I'd appreciate some help with a nasty little intermittent problem.

I'm running...
Apache/1.3.9 (Unix) mod_perl/1.21 mod_ssl/2.4.9 OpenSSL/0.9.4
on a SuSE 6.2 box (2.2.10 kernel)

Mostly everything is fine, but now and then the following error appears. When
it does, it occurs every few requests, so presumably infects one or two of the
running Apache processes. It's cured by a restart (until the next time it
happens!)
----------------------------------------------------
[error] Insecure dependency in require while running with -T switch at <blah>
----------------------------------------------------
The relevant line in <blah> is a 'use' statement, such as
use Time::Local 'timegm';

I tried to find whether the problem was due to something dodgey getting into
@INC, by running the test script inctest.cgi, attached (is_tainted function
lifted from Camel book). If I run this after getting the above error message,
it indicates that every element of @INC is tainted.

I've looked at the "@INC and mod_perl" page in the guide. In httpd.conf I have
PerlTaintCheck On and I'm not setting PERL5LIB. My startup.pl doesn't do
anything with 'use lib'.

Thanks in advance for any advice,

Dave
--
Dave Jenkins
Silk New Media