Re: Problem with taint

[prev] [thread] [next] [Date index for 2005/05/23]

From: Stas Bekman
Subject: Re: Problem with taint
Date: 18:04 on 23 May 2005

Mike Cardwell wrote:
> Hi,
> 
> I installed the new release of ModPerl2 today. I've not used any of the
> betas previously so am not sure if the problem is specific to this
> version or not. In my PerlResponseHandler I have the following code:
> 
> sub handler {
>    my $r = shift;
>    my( $path ) = $r->filename()=~/^(.*)$/;
>    eval{ require $path };
>    $r->content_type('text/plain');
>    if( $@ ){
>       $r->print($@) if $@;
>    } else {
>       $r->print("Required $path success");
>    }
>    return Apache2::Const::OK();
> }
> 
> I get the following message printed out:
> 
> "Insecure dependency in eval while running setgid at
> /var/www/devel/perl_modules/MyApache/Handler.pm"
> 
> Why? Everything is untainted... I'm not using suexec.  I'm using
> apache2-mpm-fork if that makes any difference, although I doubt it does.

You've untainted $path, but other things may still be tainted. e.g. @INC. 
 From perlsec.pod:

       Note that if a tainted string is added to @INC, the following
       problem will be reported:

          Insecure dependency in require while running with -T switch

not exactly the same, but probably is.

see for example how we untaint @INC in Apache-Test:

# Temporarily untaint PATH
sub untaint_path {
     my $path = shift;
     ($path) = ( $path =~ /(.*)/ );
     # win32 uses ';' for a path separator, assume others use ':'
     my $sep = WIN32 ? ';' : ':';
     # -T disallows relative and empty directories in the PATH
     return join $sep, grep !/^(\.|$)/, split /$sep/, $path;
}

> I can require the module from a script using PerlRequire fine, however I
> need to be able to dynamically require modules inside my
> PerlResponseHandler...




        -- 
        __________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@xxxxxx.xxx http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Problem with taint
Mike Cardwell 10:10 on 21 May 2005

Re: Problem with taint
Stas Bekman 18:04 on 23 May 2005

Generated at 15:53 on 25 May 2005 by mariachi v0.52