This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Re: further adventures with taint From: Michael Blakeley <mike@blakeley.com> Date: Mon, 4 Sep 2000 15:27:18 -0700 At 3:58 PM -0700 7/25/2000, Michael Blakeley wrote: >Solaris 2.6, Perl 5.6, apache 1.3.9, mod_perl 1.24. > >I see intermittent Apache error_log entries like: > >[Mon Jul 24 04:08:02 2000] [error] Insecure dependency in require >while running with -T switch at (eval 85) line 3. > >OK, I (normally) run with PerlTaintCheck on, and I've read perlsec. >My PATH is ''. How can I find out where this insecure dependency >_is_, so I can turn taint back on? The timestamp tells me which >script failed, and it uses a whole slew of modules. > use strict; > use Apache::Constants qw/:http/; > use LWP; > use tuner; > use MIME::Lite; > use HTML::Parse; > >I suspect MIME::Lite, but the code won't work if I remove it. How >can I be sure if it's to blame, os I can attempt to patch it (or its >dependencies)? Is there anything like a Taint::Carp, that'd give me >a full back-trace from the insecure code (and works under mod_perl)? > >Running with PERL5OPT=-d is no good; the problem never shows up. >perl -cwT shows nothing (which confirms that it's a runtime error, I >suppose). > >The Guide, perlrun, perlsec, and the perl books I've read are... a >little weak on Taint debugging techniques. If I can ever work >through the problems I'm having, I'll be delighted to contribute >some docs on this. I think I've worked through the problem. Alas, I haven't uncovered any cool new debugging techniques to document for the list. Instead, I lucked into a fix. http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-07/msg00599.html http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-08/msg00126.html Basically it seems that AP616 (ActiveState's mostly-Win32 patch to date) is a pretty good 5.6.1 "release candidate" for Solaris and Linux, too. It fixes several known bugs in 5.6.0 (none of them are directly Taint-related, but...). I did have to rebuild perl, mod_perl, and apache - but I'm used to that. Also, AP616 added a test for Sys::Syslog, which failed on my Solaris system. 5.6.0 didn't have this test, and I don't use Sys::Syslog, so I just removed the test. Also, perl -V now returns some ActiveState info (which I suppose you could remove). I've been running with AP616 and Taint On for three days now, and it seems to have fixed my problems. I hope so. I really hope so. === Subject: Re: further adventures with taint From: Doug MacEachern <dougm@covalent.net> Date: Wed, 27 Sep 2000 11:52:58 -0700 (PDT) On Mon, 4 Sep 2000, Michael Blakeley wrote: > I've been running with AP616 and Taint On for three days now, and it > seems to have fixed my problems. I hope so. I really hope so. still looking good? would be good to know if this isn't a problem on the mod_perl side :) === Subject: Re: further adventures with taint From: Michael Blakeley <mike@blakeley.com> Date: Wed, 27 Sep 2000 13:42:38 -0700 At 11:52 AM -0700 9/27/2000, Doug MacEachern wrote: >On Mon, 4 Sep 2000, Michael Blakeley wrote: > >> I've been running with AP616 and Taint On for three days now, and it >> seems to have fixed my problems. I hope so. I really hope so. > >still looking good? would be good to know if this isn't a problem on the >mod_perl side :) Well... there are still taint errors, but they're much less frequent. A grep over the past 30 days shows 5 errors: [Fri Sep 22 05:24:55 2000] [error] Insecure dependency in require while running with -T switch at /usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145. [Mon Sep 18 13:46:21 2000] [error] Insecure dependency in require while running with -T switch at (eval 258) line 3. [Sat Sep 16 11:14:13 2000] [error] Insecure dependency in require while running with -T switch at /usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145. [Fri Sep 1 13:05:50 2000] [error] Insecure dependency in require while running with -T switch at /usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145. [Wed Aug 30 11:07:47 2000] [error] Insecure dependency in require while running with -T switch at /usr/local/lib/perl5/site_perl/5.6.0/MIME/Lite.pm line 2145. The access logs show that we've called that routine 92 times during that period. An error rate of 5.4% isn't thrilling, but it's better than the 99% errors that I saw before applying AP616. It seems that before AP616, the server would run ok for a while, then all queries of this type would err. Now it seems to be more subtle - perhaps the patch causes Perl to clean up its error, so I only get one failure at a time. I don't understand why it reports a line number in some cases, and the eval in others. The access log shows that all these taint errors accessed the same URI with similar inputs. Of course, pointer errors tend to exhibit this kind of unpredictable behavior, and AFAICT "taint" is just a flipped bit inside perl. The line referenced above, BTW, is unexceptional to my eye: require Net::SMTP; So there may still be a lurking post-AP616 bug or two. I'll certainly keep an eye on perl.com and try 5.6.1 when it's released. But I don't really suspect mod_perl at this point. === Subject: Taint From: "Herrington, Jack" <jack.herrington@Certive.com> Date: Mon, 2 Oct 2000 09:59:07 -0700 A couple of questions about taint checking. 1) What is the default taint check setting? 2) Does compiling mod_perl with EVERYTHING=1 make a difference to the taint setting? 3) Does 'PerlTaintCheck Off' actually work? 4) How do I check the taint setting at run-time from a perl handler? === Subject: RE: Taint From: Geoffrey Young <gyoung@laserlink.net> Date: Mon, 2 Oct 2000 13:18:29 -0400 Original Message----- > From: Herrington, Jack [mailto:jack.herrington@Certive.com] > Sent: Monday, October 02, 2000 12:59 PM > To: 'modperl@apache.org' > Subject: Taint > > > A couple of questions about taint checking. > > 1) What is the default taint check setting? off > > 2) Does compiling mod_perl with EVERYTHING=1 make a > difference to the taint > setting? no > > 3) Does 'PerlTaintCheck Off' actually work? yes > > 4) How do I check the taint setting at run-time from a perl handler? I'm not sure that you can. PerlTaintCheck On or Off applies to all perl scripts/handlers... see http://perl.apache.org/guide/porting.html#Taint_Mode === Subject: RE: Taint From: "Herrington, Jack" <jack.herrington@Certive.com> Date: Mon, 2 Oct 2000 10:23:51 -0700 4) How do I check the taint setting at run-time from a perl handler? >I'm not sure that you can. PerlTaintCheck On or Off applies to all perl >scripts/handlers... >see http://perl.apache.org/guide/porting.html#Taint_Mode The problem that I am having is that I am getting taint errors in mason without taint being turned on. So it makes me think that taint is actually on. Is there a way to enable and disable taint checking at run-time? === Subject: RE: Taint From: Vivek Khera <khera@kciLink.com> Date: Mon, 2 Oct 2000 14:03:36 -0400 (EDT) HJ" == Herrington, Jack <jack.herrington@Certive.com> writes: HJ> Is there a way to enable and disable taint checking at run-time? No; taint mode is a Perl compile time decision. === Subject: RE: Taint From: Geoffrey Young <gyoung@laserlink.net> Date: Mon, 2 Oct 2000 14:36:55 -0400 Herrington, Jack [mailto:jack.herrington@Certive.com] wrote: > Compile-time? You mean, when I compile Perl 5.6 I can > permanently disable > taint checking? no, the other compile time :) see camel 3rd ed chapter 18 for compile v run-time distinctions, esp p467 === Subject: RE: Taint From: Vivek Khera <khera@kciLink.com> Date: Mon, 2 Oct 2000 14:46:05 -0400 (EDT) HJ" == Herrington, Jack <jack.herrington@Certive.com> writes: HJ> Compile-time? You mean, when I compile Perl 5.6 I can permanently disable HJ> taint checking? No, when your perl code is compiled, just prior to it being run. === Subject: RE: Taint From: Gunther Birznieks <gunther@extropia.com> Date: Wed, 04 Oct 2000 01:30:09 +0800 At 01:09 PM 10/3/00 -0400, ricarDo oliveiRa wrote: > "Herrington, Jack" <jack.herrington@Certive.com> wrote: > > > > >> 4) How do I check the taint setting at run-time from a perl handler? > > >I'm not sure that you can. PerlTaintCheck On or Off applies to all perl > > >scripts/handlers... > > >see http://perl.apache.org/guide/porting.html#Taint_Mode > > > >The problem that I am having is that I am getting taint errors in mason > >without taint being turned on. So it makes me think that taint is actually > >on. > > > >Is there a way to enable and disable taint checking at run-time? >I hope this can help you: > >http://www.gunther.web66.com/FAQS/taintmode.html Thanks. :) Although I am not sure if this will help the person in question... I think that persistent Perl seems to run into some odd/interesting issues where taint mode is triggered in some odd ways. I've never encountered it myself but I've heard from others that there is some weird stuff going on. Of course, if you want to untaint a variable just do... $tainted =~ /(.*)/; $tainted = $1; Of course, the FAQ says dont do this because you may not understand why the taint mode has triggered something and that cause should be rectified by a more precise expression. In addition, if the taintmode errors are being triggered in Mason, then I find it hard to believe that Mason does not already take care of this for its users. ===