[Date Prev][Date Next][Thread Prev][Thread Next]
[Search]
[Date Index]
[Thread Index]
[MacPerl] taint checks and CGI.pm
Hello MacPerl List
I have just experimented with taint checks. I was very surprised
to find that my @INC is not valid any more. Fortunately I remembered
that there is a draft chapter about cgi in the new MacPerl Book.
It explains that the user pathes of @INC are insecure.
If you think about it, you know it is true.
It shows the following solution:
BEGIN {
unshift @INC, "$ENV{MACPERL}lib:MacPPC:","$ENV{MACPERL}lib:"
}
But the Problem is CGI.pm is not working now:
It autoloads lot of its code with eval,
and since it finds itself via @INC, and @INC is tainted via
$ENV{MACPERL}, taintchecking fails.
(I'm not sure about the reason, but I'm sure that it fails)
try for example:
BEGIN {
unshift @INC, "$ENV{MACPERL}lib:MacPPC:","$ENV{MACPERL}lib:"
}
use CGI ':standard';
print header;
MacPerl 5.15r4 tells me:
# Insecure dependency in eval while running with -T switch.
File 'work:MacPerl Ä:lib:CGI.pm'; Line 575
I needed to write
BEGIN {
unshift @INC, "work:MacPerl Ä:lib:MacPPC:","work:MacPerl Ä:lib:"
}
to get my script working.
This is not a very good solution, because the script is very unportable now,
but I see no other.
I'm still wonder why "use CGI" was secure,
but the eval in autoload not.
Has anybody experiences with this?
regards
Karsten Meier
---------------------------------------------------------------------
Karsten Meier
EMail krstnmr@ibm.net
WWW: http://www.meier-online.com with following highlights:
* German MacPerl Primer * XTensions for use with QuarkXPress
Unsolicited and/or commercial email is not permitted at this address.
***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch