On Fri, 8 Dec 2000, Bruce W. Hoylman wrote:
> >>>>> "Stas" == Stas Bekman <[EMAIL PROTECTED]> writes:
>
> >> Plus, I *always* use '-w' and '-T' and get them cleanly working
> >> during development phases, although I shut them off for actual
> >> deployment.
>
> Stas> 1. You cannot use -T under mod_perl, you should use
> Stas> PerlTaintCheck
> Stas> instead: http://perl.apache.org/guide/porting.html#Taint_Mode
>
> This is what I was referring to actually. However, there are many
> modules, such as Date::Manip, for example, that just will not load with
> taint checking turned on. In an intranet, it's not as big a deal as it
> certainly is in the 'real world'.
You should contact the author of the module and ask him to fix it. It's
possible that he doesn't aware of the taint issues. Usually for modules
that execute shell/fork but don't pass any tainted args, the fix is as
trivial as adding:
$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
(taken from perlsec manpage)
Hmm, may be we should find a way for modules to be taint checked before
these are allowed to CPAN? What do you think? sort of:
eval {`perl -cwT $_` for (<*.pm>) };
> But what can I do, short of rewritting the parts of the module that
> don't function in with checking on
>
> Stas> 2. 'PerlTaintCheck On' is a must in production!!! not
> Stas> development:
> Stas> * http://www.gunther.web66.com/FAQS/taintmode.html
> Stas> * perldoc perlsec
>
> Thanks for the input.
You are very welcome :)
> Peace.
Sex, drugs and rock-n-roll!
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:[EMAIL PROTECTED] http://apachetoday.com http://logilune.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
