(I accidentally deleted my lib/news/inews binary, so I'm waiting for a
backup to be restored. Sorry for bothering you directly like this...)
In a recent "comp.lang.perl.misc" posting, you shared a number of
thoughts about scrubbing, untainting, and such. (You talked about
almost turning it into a FMTEYEWTK...)
I sent some mail to Graham Barr about this yesterday, but in case you
might have already dealt with it, I was wondering if you might know why
I'm getting an "Insecure dependency" error when I try to run Graham's
Net::FTP routines. Specifically, calling &Net::FTP->new() with "-T"
(or as setuid()) results in a call to &AUTOLOAD to retrieve the value
of AF_INET, and that results in an error message relating to line 129
in Socket.pm:
eval "sub $AUTOLOAD { $val }";
(I even tried replacing that occurrence of AF_INET with its value (2),
and it _still_ complained about the exact same thing... *sigh*)
I looked through the "perlbugs" database and found a number of
references about tainting/untainting problems, but they all seem
resolved, so unless I've uncovered a bug, I figure I'm doing something
wrong here. I can't quite put my finger on it, though.
BTW, is it reasonable to expect that modules added to CPAN might have
first been checked for things like this? Or isn't this aspect of PERL
(tainting) used very much? I don't mean to cast aspersions on Graham
and his work, but I was just curious about that. (And if, in fact, his
routines (and Socket.pm) are known to work well in a "-T"/setuid()
environment, then I must be indeed doing something wrong ... again.)
Any chance you might be able to touch on this in the newsgroup?
Specifically, are there untainting concerns when reading/writing
sockets?
Thanks!
--
Mark D. Conty c22309@j1xsfs90.is.nwa.com
Northwest Airlines mdconty@idss.nwa.com
IS/Applications <>< mdc@winternet.com
backup to be restored. Sorry for bothering you directly like this...)
In a recent "comp.lang.perl.misc" posting, you shared a number of
thoughts about scrubbing, untainting, and such. (You talked about
almost turning it into a FMTEYEWTK...)
I sent some mail to Graham Barr about this yesterday, but in case you
might have already dealt with it, I was wondering if you might know why
I'm getting an "Insecure dependency" error when I try to run Graham's
Net::FTP routines. Specifically, calling &Net::FTP->new() with "-T"
(or as setuid()) results in a call to &AUTOLOAD to retrieve the value
of AF_INET, and that results in an error message relating to line 129
in Socket.pm:
eval "sub $AUTOLOAD { $val }";
(I even tried replacing that occurrence of AF_INET with its value (2),
and it _still_ complained about the exact same thing... *sigh*)
I looked through the "perlbugs" database and found a number of
references about tainting/untainting problems, but they all seem
resolved, so unless I've uncovered a bug, I figure I'm doing something
wrong here. I can't quite put my finger on it, though.
BTW, is it reasonable to expect that modules added to CPAN might have
first been checked for things like this? Or isn't this aspect of PERL
(tainting) used very much? I don't mean to cast aspersions on Graham
and his work, but I was just curious about that. (And if, in fact, his
routines (and Socket.pm) are known to work well in a "-T"/setuid()
environment, then I must be indeed doing something wrong ... again.)
Any chance you might be able to touch on this in the newsgroup?
Specifically, are there untainting concerns when reading/writing
sockets?
Thanks!
--
Mark D. Conty c22309@j1xsfs90.is.nwa.com
Northwest Airlines mdconty@idss.nwa.com
IS/Applications <>< mdc@winternet.com