Mailing List Archive: Socket.pm and taintedness

Socket.pm and taintedness

okamoto at hpcc123

Dec 27, 1995, 3:14 PM

Post #1 of 7 (300 views)

How can I turn off the AutoLoader in Socket.pm? I'm running the WWW library's
LWP::UserAgent in a setuid script. I did find the useEval method to turn off
eval's inside LWP, but inside the AUTOLOAD sub of Socket.pm is a nice fat eval.
Is there a workaround to using the AutoLoader in this case?

Jeff

Re: Socket.pm and taintedness [ In reply to ]

Tim.Bunce at ig

Dec 28, 1995, 5:41 AM

Post #2 of 7 (297 views)

> From: Jeff Okamoto <okamoto@hpcc123.corp.hp.com>
>
> How can I turn off the AutoLoader in Socket.pm? I'm running the WWW library's
> LWP::UserAgent in a setuid script. I did find the useEval method to turn off
> eval's inside LWP, but inside the AUTOLOAD sub of Socket.pm is a nice fat eval.
> Is there a workaround to using the AutoLoader in this case?

Could you explain more about what you're trying to achieve and why?

Tim.

Re: Socket.pm and taintedness [ In reply to ]

Dec 28, 1995, 8:13 AM

Post #3 of 7 (298 views)

>> From: Jeff Okamoto <okamoto@hpcc123.corp.hp.com>
>>
>> How can I turn off the AutoLoader in Socket.pm? I'm running the WWW l<SNIP>
>> LWP::UserAgent in a setuid script. I did find the useEval method to t<SNIP>
>> eval's inside LWP, but inside the AUTOLOAD sub of Socket.pm is a nice <SNIP>
>> Is there a workaround to using the AutoLoader in this case?

>Could you explain more about what you're trying to achieve and why?

Probably the eval here is what it doesn't like:

eval {require $name};

the taint checker is probably a little nervous about it.

--mot

Re: Socket.pm and taintedness [ In reply to ]

Tim.Bunce at ig

Dec 28, 1995, 9:48 AM

Post #4 of 7 (296 views)

> From: Tom Christiansen <tchrist@mox.perl.com>
>
> >> From: Jeff Okamoto <okamoto@hpcc123.corp.hp.com>
> >>
> >> How can I turn off the AutoLoader in Socket.pm? I'm running the WWW l<SNIP>
> >> LWP::UserAgent in a setuid script. I did find the useEval method to t<SNIP>
> >> eval's inside LWP, but inside the AUTOLOAD sub of Socket.pm is a nice <SNIP>
> >> Is there a workaround to using the AutoLoader in this case?
>
> >Could you explain more about what you're trying to achieve and why?
>
> Probably the eval here is what it doesn't like:
>
> eval {require $name};
>
> the taint checker is probably a little nervous about it.

Umm, should we untaint $name?

Tim.

Re: Socket.pm and taintedness [ In reply to ]

okamoto at hpcc123

Dec 28, 1995, 10:21 AM

Post #5 of 7 (300 views)

> Could you explain more about what you're trying to achieve and why?

I have a setuid program that is exec'ing a perl script which uses the
libwww module, which calls the Socket module. The eval in Socket.pm
is causing the taint checker to spit out an "Insecure dependency in
eval". I can also get this by adding the -T flag to the perl script
and simply calling it from the prompt.

Jeff

Re: Socket.pm and taintedness [ In reply to ]

Tim.Bunce at ig

Dec 29, 1995, 12:58 PM

Post #6 of 7 (300 views)

> From: Jeff Okamoto <okamoto@hpcc123.corp.hp.com>
>
> > Could you explain more about what you're trying to achieve and why?
>
> I have a setuid program that is exec'ing a perl script which uses the
> libwww module, which calls the Socket module. The eval in Socket.pm
> is causing the taint checker to spit out an "Insecure dependency in
> eval". I can also get this by adding the -T flag to the perl script
> and simply calling it from the prompt.

Okay. Untainting $name in the AutoLoader seems reasonable.

Tim.

Re: Socket.pm and taintedness [ In reply to ]

tchrist at alumni

Dec 29, 1995, 1:40 PM

Post #7 of 7 (296 views)

> Okay. Untainting $name in the AutoLoader seems reasonable.

Only if you limit it to identifers. I don't want anyone
doing funny tricks like *{"../../../barstuff"} = \&darnit
or something to get the autocalled with that as the function to
execute. You could do the untainting using a /(\w+)/ kind
of match instead of a .* one to avoid that problem.

--tom