Mike Cardwell wrote:
Hi,
I installed the new release of ModPerl2 today. I've not used any of the
betas previously so am not sure if the problem is specific to this
version or not. In my PerlResponseHandler I have the following code:
sub handler {
my $r = shift;
my( $path ) = $r->filename()=~/^(.*)$/;
eval{ require $path };
$r->content_type('text/plain');
if( $@ ){
$r->print($@) if $@;
} else {
$r->print("Required $path success");
}
return Apache2::Const::OK();
}
I get the following message printed out:
"Insecure dependency in eval while running setgid at
/var/www/devel/perl_modules/MyApache/Handler.pm"
Why? Everything is untainted... I'm not using suexec. I'm using
apache2-mpm-fork if that makes any difference, although I doubt it does.
You've untainted $path, but other things may still be tainted. e.g. @INC.
From perlsec.pod:
Note that if a tainted string is added to @INC, the following
problem will be reported:
Insecure dependency in require while running with -T switch
not exactly the same, but probably is.
see for example how we untaint @INC in Apache-Test:
# Temporarily untaint PATH
sub untaint_path {
my $path = shift;
($path) = ( $path =~ /(.*)/ );
# win32 uses ';' for a path separator, assume others use ':'
my $sep = WIN32 ? ';' : ':';
# -T disallows relative and empty directories in the PATH
return join $sep, grep !/^(\.|$)/, split /$sep/, $path;
}
I can require the module from a script using PerlRequire fine, however I
need to be able to dynamically require modules inside my
PerlResponseHandler...
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
