Front page | perl.perl5.porters |
Postings from April 2004
David R.Schulte (via RT) wrote: > Under Perl 5.8.0, we are seeing an insecure dependency generated > for the PerlIO.pm with the following script when executed with the > real uid != effected uid: > > #!/bin/perl > > use XML::SAX::Pipeline; > use XML::Filter::BufferText; > > my $filter = XML::Filter::BufferText->new(); > my $machine = XML::SAX::Pipeline->new($filter); > > $machine->parse_file(\*STDIN); > > Error Message: > > Insecure dependency in eval while running setuid at /opt/perl58/lib/5.8.0/PerlIO.pm line 22. > BEGIN failed--compilation aborted. > > Other than using perl's -U option, I cannot figure out how to get > around this problem. It appears that the root of the problem is with > PerlIO.pm's use of a tainted variable inside a "require" statement, at > line 22. Indeed, but this variable is a parameter to import(), that is, it's typically given on a "use" line (or, in our case, in a open(FH, "<:module", $file) statement.) That means that the 2nd argument to open() is probably tainted, and thus that the problem is upstream -- in one of the modules you're using. I've not looked at them to confirm this, but I think you should report the problem to their author.Thread Previous