At the moment we have issues with TestCommon::Utils::is_tainted
It used to be:
sub is_tainted {
my $data = shift;
eval { eval $data };
return ($@ && $@ =~ qr/Insecure dependency in eval/) ? 1 : 0;
}but it didn't work with 5.6 on tainted vars with empty strings, and I worked around it by adding " " to $data.
then I've registered a breakage with 5.8.0, which was failing with:
Insecure dependency in eval while running setgid at /home/stas/apache.org/mp2-cvs/t/lib/TestCommon/Utils.pm line 10.
So it won't even let me trap eval string with eval {}. I'm not sure
how to deal with that bug in 5.8.0 (not sure what other perls are
affected: tested to work fine with 5.6.1 and 5.8.5).So anybody has any other ideas, on a better function that will tell us whether a given scalar is tainted, besides adding a helper XS sub which will just check the tainted flag?
Also when I wrote that one I haven't realized that the string it may eval can be absolutely anything. So in case of t/apache/read.t it was eval'ing a Makefile. Which is obviously dangerous. I've tried to work around it with:
sub is_tainted {
my $data = shift;
my $x = " " . substr $data, 0, 1;
$x = substr $x, 0, 1; # $x == " " and tainted
eval { eval $x };
return ($@ && $@ =~ qr/Insecure dependency in eval/) ? 1 : 0;
}which always leaves only " " in $x, and $x will be tainted if $data was tainted. but it doesn't work with 5.8.0 because that setgid trigger :(
-- __________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
