You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Al...@nokia.com on 2004/04/29 15:49:44 UTC
Insecure $ENV{PATH} while running with -T at Mail/Mailer/sendmail.pm
Hi,
on the top of my mod_perl 1 script I have:
package Taskit;
BEGIN {
delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)};
}
use Apache;
use Apache::Constants qw(OK);
use Apache::Request;
use Net::LDAP;
use Mail::Mailer qw(sendmail);
use GSCM::CCM::Session;
use Data::Dumper;
use strict;
And still I get this error in the error_log:
Apache::StatINC: process 4585 reloading Taskit.pm.
[Thu Apr 29 15:13:53 2004] [error] Insecure $ENV{PATH} while running with -T switch at /nokia/apps/tww/@sys/perl580p/lib/5.8.0/Mail/Mailer/sendmail.pm line 16.
Is it some kind of mod_perl quirk? I thought
delete-ing $ENV{PATH} would help me with that error?
I couldn't find any help in google, "practical mod_perl"
and "mod_perl user guide" yet. Any ideas please?
This is Apache 1.3.27 on Solaris 2.8 with
PerlTaintCheck On
.....
PerlModule Apache::StatINC
PerlModule Taskit
<Location /taskit>
SetHandler perl-script
PerlHandler Taskit
PerlInitHandler Apache::StatINC
PerlSetVar StatINCDebug On
</Location>
in httpd.conf and the perl is:
boccm01:lib {104} /nokia/apps/tww/@sys/perl580/bin/perl -V
Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
Platform:
osname=solaris, osvers=2.7, archname=sun4-solaris-thread-multi
uname='sunos vegeta 5.7 generic_106541-17 sun4u sparc sunw,ultra-2 '
config_args='-Dcc=gcc -Dprefix=/nokia/apps/tww/@sys/perl580 -Dlibpth=/lib /usr/lib /usr/ccs/lib -Dlocincpth= -Dloclibpth= -Dsitearch=/nokia/apps/tww/@sys/perl580p/lib/5.8.0/sun4-solaris-thread-multi -Dsitebin=/nokia/apps/tww/@sys/perl580p/bin -Dsitelib=/nokia/apps/tww/@sys/perl580p/lib/5.8.0 -Dsiteprefix=/nokia/apps/tww/@sys/perl580p -Dvendorarch=/nokia/apps/tww/@sys/perl580p/vendor/lib/5.8.0/sun4-solaris-thread-multi -Dvendorbin=/nokia/apps/tww/@sys/perl580p/vendor/bin -Dvendorlib=/nokia/apps/tww/@sys/perl580p/vendor/lib/5.8.0 -Dvendorprefix=/nokia/apps/tww/@sys/perl580p/vendor -Dccflags=-DDEBUGGING -Dcf_email=support@thewrittenword.com -Dcf_by=The Written Word, Inc. -Doptimize=-O2 -mcpu=v7 -Aprepend:libswanted=thread $empty -Dpager=/usr/bin/more -Dinstallusrbinperl=undef -Duseshrplib=true -Duseithreads=define -Dthreads=define -des'
hint=recommended, useposix=true, d_sigaction=define
usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
use64bitint=undef use64bitall=undef uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='gcc', ccflags ='-D_REENTRANT -DDEBUGGING -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-O2 -mcpu=v7',
cppflags='-D_REENTRANT -DDEBUGGING -fno-strict-aliasing'
ccversion='', gccversion='3.2 (TWW)', gccosandvers='solaris2.7'
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='gcc', ldflags =' '
libpth=/lib /usr/lib /usr/ccs/lib
libs=-lthread -lsocket -lnsl -ldl -lm -lrt -lpthread -lc
perllibs=-lthread -lsocket -lnsl -ldl -lm -lrt -lpthread -lc
libc=/lib/libc.so, so=so, useshrplib=true, libperl=libperl.so
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' -R /nokia/apps/tww/@sys/perl580/lib/5.8.0/sun4-solaris-thread-multi/CORE'
cccdlflags='-fPIC', lddlflags='-G'
Characteristics of this binary (from libperl):
Compile-time options: DEBUGGING MULTIPLICITY USE_ITHREADS USE_LARGE_FILES PERL_IMPLICIT_CONTEXT
Built under solaris
Compiled at Sep 26 2002 11:59:24
@INC:
/nokia/apps/tww/@sys/perl580p/lib/5.8.0/sun4-solaris-thread-multi
/nokia/apps/tww/@sys/perl580p/lib/5.8.0
/nokia/apps/tww/@sys/perl580p/lib
/nokia/apps/tww/@sys/perl580/lib/5.8.0/sun4-solaris-thread-multi
/nokia/apps/tww/@sys/perl580/lib/5.8.0
/nokia/apps/tww/@sys/perl580p/vendor/lib/5.8.0/sun4-solaris-thread-multi
/nokia/apps/tww/@sys/perl580p/vendor/lib/5.8.0
/nokia/apps/tww/@sys/perl580p/vendor/lib
.
Regards
Alex
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Insecure $ENV{PATH} while running with -T at Mail/Mailer/sendmail.pm
Posted by Stas Bekman <st...@stason.org>.
Alexander.Farber@nokia.com wrote:
> Hi,
>
> on the top of my mod_perl 1 script I have:
>
> package Taskit;
>
> BEGIN {
> delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)};
> }
>
> use Apache;
> use Apache::Constants qw(OK);
> use Apache::Request;
> use Net::LDAP;
> use Mail::Mailer qw(sendmail);
> use GSCM::CCM::Session;
> use Data::Dumper;
> use strict;
>
> And still I get this error in the error_log:
>
> Apache::StatINC: process 4585 reloading Taskit.pm.
> [Thu Apr 29 15:13:53 2004] [error] Insecure $ENV{PATH} while running with -T switch at /nokia/apps/tww/@sys/perl580p/lib/5.8.0/Mail/Mailer/sendmail.pm line 16.
>
> Is it some kind of mod_perl quirk? I thought
> delete-ing $ENV{PATH} would help me with that error?
The perlsec manpage suggests to set it, not delete it:
$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
...
For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a
known value, and each directory in the path must be non-writable by
others than its owner and group. You may be surprised to get this mes-
sage even if the pathname to your executable is fully qualified. This
is not generated because you didn't supply a full path to the program;
instead, it's generated because you never set your PATH environment
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
variable, or you didn't set it to something that was safe. Because
Perl can't guarantee that the executable in question isn't itself going
to turn around and execute some other program that is dependent on your
PATH, it makes sure you set the PATH.
so when you delete it, it's if it has never been set. Though admittedly this
works for me on linux:
% perl -Tle 'delete @ENV{qw(PATH BASH_ENV)}; qx|echo horray!|'
So it probably varies from OS to OS.
But now looking again at your output, it doesn't happen during the normal
load, but only after reload, right? Any difference with setting PATH
explicitly as the manpage suggests? Any difference if you use Apache::Reload
instead of StatINC?
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html