perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gunther Birznieks <>
Subject Re: bogus taint error?
Date Mon, 03 Jul 2000 00:53:43 GMT
There is a remote possibility (I would have to test this at work) that your 
command-line testing will never show a taint problem.

Because you are typing all the Perl commands in STDIN, and because STDIN, 
is by its very definition tainted, you get a security paradox and Perl may 
be turning off taintmode entirely to avoid this.

If you really want to test this at the command line. Make the script. And 
then run it from the command line as the user the web server runs as (Not you).

Also, is this really a mod_perl problem? Have you tried running the program 
using normal CGI/Perl?

Also, scripts that run under Apache::PerlRun tend to be messy. So if you 
have many PerlRun scripts on a server, there is some likelihood that a 
given may be screwy if you have more than one as a required library.

One thing that comes to mind is that many old CGI/Perl scripts tend to use 
a "" file that is required. This will break in mod_perl because will be loaded into %INC and never loaded again for other scripts 
(as that "library" will be considered as cached).

Although I seem to remember Apache::PerlRun treating required libraries 
differently (eg resetting %INC after the script runs).


At 03:37 PM 7/2/00 -0700, Michael Blakeley wrote:

>At 2:00 PM -0700 7/2/2000, Michael Blakeley wrote:
>>With perl 5.6.0, Solaris 2.6, apache 1.3.9, and mod_perl 1.24, I'm seeing 
>>intermittent taint errors like
>>[Sat Jul  1 18:50:13 2000] [error] PerlRun: `Insecure dependency in 
>>require while running with -T switch at / line 5.
>>head -6 shows:
>>use Apache::Constants qw/:http/;
>>use LWP;
>>use MIME::Lite;
>>use strict;
>>Seeing I thought 
>>that moving 'use strict' to the top might help:
>>use strict;
>>use Apache::Constants qw/:http/;
>>use LWP;
>>use MIME::Lite;
>>It didn't help.
>Scratch the rest of that. The line number did move with MIME::Lite after 
>all. But... I'm still hitting the taint errors. The weird thing is that I 
>can do
>perl -Tw
>use strict;
>use Apache::Constants qw/:http/;
>use LWP;
>use MIME::Lite;
>all I like, and never see the taint error. Ideas?
>-- Mike

View raw message