[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

[MacPerl] taint checks and CGI.pm



Hello MacPerl List

I have just experimented with taint checks. I was very surprised
to find that my @INC is not valid any more. Fortunately I remembered
that there is  a draft chapter about cgi in the new MacPerl Book.
It explains that the user pathes of @INC are insecure.
If you think about it, you know it is true.
 
It shows the following solution:
BEGIN {
	unshift @INC, "$ENV{MACPERL}lib:MacPPC:","$ENV{MACPERL}lib:"
}

But the Problem is CGI.pm is not working now:
It autoloads lot of its code with eval,
 and since it finds itself via @INC, and @INC is tainted via
 $ENV{MACPERL}, taintchecking fails.
(I'm not sure about the reason, but I'm sure that it fails)
try for example:

BEGIN {
	unshift @INC, "$ENV{MACPERL}lib:MacPPC:","$ENV{MACPERL}lib:"
}
use CGI ':standard';
print header;

MacPerl 5.15r4 tells me:
# Insecure dependency in eval while running with -T switch.
File 'work:MacPerl Ä:lib:CGI.pm'; Line 575


I needed to write 
BEGIN {
	unshift @INC, "work:MacPerl Ä:lib:MacPPC:","work:MacPerl Ä:lib:"
}
to get my script working. 
This is not a very good solution, because the script is very unportable now,
but I see no other. 
I'm still wonder why "use CGI" was secure, 
but the eval in autoload not. 

Has anybody experiences with this?

regards

Karsten Meier


---------------------------------------------------------------------
Karsten Meier
EMail krstnmr@ibm.net
WWW: http://www.meier-online.com with following highlights:
 * German MacPerl Primer * XTensions for use with QuarkXPress 
Unsolicited and/or commercial email is not permitted at this address.



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch