开发者

Finding the source of a perl taint mode error

开发者 https://www.devze.com 2023-03-13 13:31 出处:网络
When running a perl CGI script in taint mode, I get an error of the form... Insecure dependency in some_function while running with -T switch at (eval some_line) line some_other_line.

When running a perl CGI script in taint mode, I get an error of the form...

Insecure dependency in some_function while running with -T switch at (eval some_line) line some_other_line.
Compilation failed in require at my-script.cgi line 39.
BEGIN failed--compilation aborted at my-script.cgi line 39.

my-script.cgi line 39 is a use statement for a perl module which does not itself use eval or some_function, but presum开发者_开发技巧ably uses another library which does. The some_line and some_other_line line numbers don't seem to make sense in either my-script.cgi or the library which is 'use'd on line 39 of my-script.cgi.

Given this error, how can I track down where the taint error is occurring?

I've tried setting a new die signal handler which should print a stack trace, i.e.

$SIG{ __DIE__ } = sub { require Carp; Carp::confess(@_); };

but this seems to have no effect on the error. Perhaps this is the wrong signal to be trapping, not happening early enough, or something more complex is required.


Carp::Always works fine with exceptions raised by taint checks. Example output:

$ perl -MCarp::Always -T blah.pl
Insecure dependency in sprintf while running with -T switch at blah.pl line 6
        main::foo() called at blah.pl line 8
        main::bar() called at blah.pl line 10


I use Devel::SimpleTrace a lot these days for debugging and it recently helped me find a taint bug when using Archive::Zip.

However, I don't know if it would have worked in your case since it is essentially setting the same sig handler that you used.

0

精彩评论

暂无评论...
验证码 换一张
取 消