I've been running into a problem with taint checks failing in an unexpected way under load.
This is running inside mod-perl, but I don't believe it has anything to do with mod-perl, per se, other than perhaps the interpreter lives a bit longer than the average. I am actually running the Debian GNU/Linux (i386) package of 5.8.7-3, but a very cursory look at the diffstat of changes makes me think that it is not very divergent from mainline 5.8.7. With that said, the Debian bug entry is at http://bugs.debian.org/303308 On to the more detailed problem description: The following snippet of code, when run in taint mode, sometimes fails with a taint error: $page =~ tr/A-Z/a-z/; $page =~ tr/a-z0-9//cd; $page =~ m/^([A-Z0-9]*)$/i; $page = $1; my $ev = sprintf 'require ACI::Forms::%s; $self = new ACI::Forms::%s($q);', $page, $page; $l->log('info',"page (value = '%s') is tainted when about to eval '%s'",$page,$ev) if is_tainted($page); $l->log('info',"ev (value = '%s') is tainted when about to eval for page '%s'",$ev,$page) if is_tainted($ev); eval $ev; if ($@) { $l->log('err','Tried to eval %s, got %s',$ev,$@); return undef; } Specifically, the eval $ev; line fails. The calls to $l->log() do trigger: Apr 5 18:47:00 ryan2 index.pl[4539]: 10.37.1.38/ryan ACI::Forms page (value = 'main') is tainted when about to eval 'require ACI::Forms::main; $self = new ACI::Forms::main($q);' Apr 5 18:47:00 ryan2 index.pl[4539]: 10.37.1.38/ryan ACI::Forms ev (value = 'require ACI::Forms::main; $self = new ACI::Forms::main($q);') is tainted when about to eval for page 'main' $page should begin tainted. This is a snippet of code that runs inside mod_perl and Apache, using Apache::Registry, Apache::DBI and CGI.pm. Note: This is an intermittent failure. This was not the first request handled by this particular Apache process, nor the last (it is still running after this error.) This Apache process does appear to be corrupted or broken, in some manner, after the first time this error is reached, as it appears to fail fairly consistently afterwards. (Though not always 100%) is_tainted is pulled from perlsec: sub is_tainted { return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 }; } I'm trying to get a test done with perl-current (bleadperl), but we're still getting a build environment up to test it in. For an idea of how hard it is to actually trigger this bug reliably, I've tried to reproduce it today on a test machine, and I succeed in breaking one Apache process. I updated my test code slightly to test a a work around (i.e, kill the broken Apache child process off as soon as I hit this bug so it can't break more than one request), and have been unable to re-trigger the bug. This covers about 32000 requests, so far. If anyone has a suggestion, debugging patch, magic incantation to say over sacrificial chickens, I'd appreciate it. I'm not subscribed, so please cc: me on replies. -- Ryan Anderson AutoWeb Communications, Inc. email: [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part
