develooper Front page | perl.perl5.porters | Postings from December 2004

solution for Insecure dependency in require while running with -Tswitch + patch

Thread Next
From:
Stas Bekman
Date:
December 4, 2004 12:05
Subject:
solution for Insecure dependency in require while running with -Tswitch + patch
Message ID:
41B21893.1080706@stason.org
I've spent a good hour trying to figure out the cause of

   Insecure dependency in require while running with -T switch

in a very complex setup, which was suddenly triggered by upgrading 
Test::Harness (but which I've discovered later, wasn't the guilty module, 
but just a trigger). No perl docs were able to point me where to look. 
Googling was more helpful and suggested to check @INC for tainted strings. 
and some time later I've found and fixed the cause.

So here is the patch at least documenting where one should dig when 
getting this error.

also is it possible to adjust the error message to suggest to check @INC 
for tainted variables?

I was thinking that maybe this patch should be applied in a different 
section of the file. Instead of generally talking about perlsec issues, 
may be it's more beneficial to start a new =head1 which will present each 
-T error and explain how to deal with it (potentially xref'ing to other 
sections of perlsec.pod)

--- pod/perlsec.pod.orig        2004-12-04 14:38:41.099879859 -0500
+++ pod/perlsec.pod     2004-12-04 14:58:15.173002855 -0500
@@ -234,6 +234,22 @@
  will automagically remove any duplicated directories, while the later
  will not.

+Note that if a tainted string is added to C<@INC>, the following
+problem will be reported:
+
+  Insecure dependency in require while running with -T switch
+
+You can check which string in C<@INC> is tainted, by checking the
+strings with help of C<is_tainted()> function presented elsewhere in
+this document:
+
+  for my $path (@INC) {
+      print "path '$path' is tainted\n" if is_tainted($path);
+  }
+
+You may need to enclose this code in C<BEGIN {}> block in case the
+failure is reported in C<use()>.
+
  =head2 Cleaning Up Your Path

  For "Insecure C<$ENV{PATH}>" messages, you need to set C<$ENV{'PATH'}> to

-- 
__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About