Front page | perl.perl5.porters |
Postings from June 2008
On Wed, Jun 18, 2008 at 1:53 PM, perlbugs@ch.pkts.ca (via RT)
<perlbug-followup@perl.org> wrote:
> # New Ticket Created by perlbugs@ch.pkts.ca
> # Please include the string: [perl #56058]
> # in the subject line of all future correspondence about this issue.
> # <URL: http://rt.perl.org/rt3/Ticket/Display.html?id=56058 >
>
>
>
> This is a bug report for perl from perlbugs@ch.pkts.ca,
> generated with the help of perlbug 1.35 running under perl v5.8.8.
>
>
> -----------------------------------------------------------------
> [Please enter your report here]
>
> Untainting is not working in LWP::Simple?
>
> I'm writing a short program that reads an RSS feed and downloads an article.
> I'm using XML::RSS::Parser to process the RSS feed, and LWP::Simple to get it.
> I've untainted the url, and checked it with tainted() from
> Scalar::Util, but I'm still unable to download the article, despite
> untainting it as best I know how.
>
> The error message:
> Insecure dependency in connect while running with -T switch at
> /usr/lib/perl5/5.8.8/i386-linux-thread-multi/IO/Socket.pm line 115.
>
> I've inserted debugging statements into LWP::Simple, and found that
> _get() sometimes taints the data...?
>
> Here is sample code:
> -------------
> #!/usr/bin/perl -wT
> use strict;
>
> use XML::RSS::Parser;
> use LWP::Simple;
> use Scalar::Util qw(tainted);
>
> # Succeed (assuming this url is still valid):
> process("http://www.mailinator.com/showmail.jsp?email=billgates&msgid=21924179");
> print "\n";
>
> my $p = XML::RSS::Parser->new;
> my $feed = $p->parse_uri('http://www.mailinator.com/rss.jsp?email=billgates');
> #my $feed = $p->parse_file('rss.jsp');
> if (!defined $feed) { die("parse: ".($p->errstr)); }
> my @list=$feed->query('//item');
>
> # Fail:
> process($list[0]->query('link')->text_content);
>
> sub process {
> my $l=$_[0];
> print $l,"\n";
>
> # This does untaint the data:
> if ($l!~m/email=([a-z]+)&msgid=(\d+)/i) {
> die("Abnormal link for message: $l");
> }
> my $email=$1;
> my $msgid=$2;
>
> print "email=$email msgid=$msgid\n";
> if (tainted($email)) { die("email is tainted"); }
> if (tainted($msgid)) { die("msgid is tainted"); }
>
> my $url="http://www.mailinator.com/showmail2.jsp?email=$1&msgid=$2";
>
> print "url=$url\n";
> if (tainted($url)) { die("url is tainted"); }
>
> # This dies with a taint error?!?
> my $content=get($url);
>
> #print $content;
> }
>
Although LWP::Simple is a very popular module, it is not included with
the Perl core and not supported here. I'm CC'ing the module author,
Gisle Aas to see if he can perhaps help you out. As for the Perl
core, this ticket will be close.
Steve Peters
steve@fisharerojo.org
Thread Previous