Solaris 2.6, Perl 5.6, apache 1.3.9, mod_perl 1.24.
I see intermittent Apache error_log entries like:
[Mon Jul 24 04:08:02 2000] [error] Insecure dependency in require
while running with -T switch at (eval 85) line 3.
Here's what perldiag says:
Insecure dependency in %s
(F) You tried to do something that the tainting
mechanism didn't like. The tainting mechanism is turned
on when you're running setuid or setgid, or when you
specify -T to turn it on explicitly. The tainting
mechanism labels all data that's derived directly or
indirectly from the user, who is considered to be
unworthy of your trust. If any such data is used in a
"dangerous" operation, you get this error. See the
perlsec manpage for more information.
OK, I (normally) run with PerlTaintCheck on, and I've read perlsec.
My PATH is ''. How can I find out where this insecure dependency
_is_, so I can turn taint back on? The timestamp tells me which
script failed, and it uses a whole slew of modules.
use strict;
use Apache::Constants qw/:http/;
use LWP;
use tuner;
use MIME::Lite;
use HTML::Parse;
I suspect MIME::Lite, but the code won't work if I remove it. How can
I be sure if it's to blame, os I can attempt to patch it (or its
dependencies)? Is there anything like a Taint::Carp, that'd give me a
full back-trace from the insecure code (and works under mod_perl)?
Running with PERL5OPT=-d is no good; the problem never shows up. perl
-cwT shows nothing (which confirms that it's a runtime error, I
suppose).
The Guide, perlrun, perlsec, and the perl books I've read are... a
little weak on Taint debugging techniques. If I can ever work through
the problems I'm having, I'll be delighted to contribute some docs on
this.
I'd really like to run with PerlTaintCheck on - any ideas?
thanks,
-- Mike
