perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Charlie Katz <ck...@cfa.harvard.edu>
Subject inconsistent taint check results
Date Wed, 07 Mar 2007 17:27:53 GMT
Hi all,

The site I develop (Apache 2.2.3, mod_perl 2.0.2 [perl 5.8.5], Mason 1.33) 
runs with taint checking ("PerlSwitches -wT -I/www").  It's been working fine 
for many months now, with my scripts happily untainting variables as 
required.

In the last couple of weeks, all of a sudden I am seeing occasional and 
sporadic "Insecure dependency in XXX while running setgid" errors all around 
the site.  Seemingly important things I've observed about the errors:

-they seem to start after the server's been running for a day or two; 
restarting it makes them go away for a while

-inconsistent: after an occurence (which returns 500 to the client), simply 
hitting reload in the browser gets the same request answered successfully

-not process dependent: the reload is successful whether the request hits the 
same Apache child that previously had the error, or a different child

-nonsensical: one of the places I found it occurring is in a sysopen() using a 
variable which was explicitly untainted in the preceding two lines of code

-not limited to any particular script; when they happen, they can be anywhere 
in my code that taint checking matters


I've been doing a lot of development lately (in particular adding a CDBI based 
system), but these errors are occurring in scripts that haven't been touched 
in over a year.  

After some investigation, all I've learned is that perl definitely does think 
the variables are tainted (duh!).  I'm afraid I have little idea of what to 
do next.  Any suggested courses of inquiry I could take up would be greatly 
appreciated.

Regards,
Charlie

-- 
Charlie Katz
Harvard-Smithsonian Center for Astrophysics
ckatz@cfa.harvard.edu

Mime
View raw message