Stas Bekman wrote:
>> Taken from perlsec(1): >> >> sub is_tainted { return ! eval { join('',@_), kill 0; 1; }; } > > > Thanks Dominique, I'll try that.
It doesn't work for the same reason, my previous approach didn't work.
Insecure dependency in kill while running setgid at /home/stas/apache.org/mp2-cvs/t/lib/TestCommon/Utils.pm line 5.
Any other ideas?
> Hmm, I can't find that in perlsec. which perl's manpage are you > looking at? > > > Well it's section "Laundering and Detecting Tainted Data" in the perlsec man page, as shipped with RedHat 7.3 (Perl 5.6.1) and Debian stable (5.6.1) and testing (5.8.0).
Ah, thanks, starting from 5.8.0 (yours 5.8.0 is not real 5.8.0) it was changed to:
sub is_tainted {
return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
}but it doesn't work just for the same reason. eval {} can't be called when perl thinks that the binary is setguid...
-- __________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
