Problems with Sys::Syslog and taint

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I'm using Sys::Syslog for program logging and I have just started using the taint flag (we are trying to tighten up our code). With this combination Syslog will not work. I'm thinking that it's a perl bug, but I wanted to check before I sent off a bug report. I'm also wondering if there is a way around the problem.

The following is the more detailed info:
I'm running perl 5.00503

This is my test script:

#!/usr/bin/perl -wT
use Sys::Syslog;


$SCRIPT_ID = "testMod.cgi(000)";
print "Content-Type: text/html\n\n";
&openlog($ProcName,"pid,cons,nowait", "local0");
&syslog('local3.info', "$SCRIPT_ID-1 Execution begun.");
&closelog();
print "HELLO";

When I run this script I get the 'document contained no data error' and the following message in the error log: 'Cannot get host name of local machine at /usr/lib/perl5/5.00503/Sys/Syslog.pm line 248' I tracked this down and found that the error is actually being generated from Sys::Hostname. Everything works fine if I remove the -T flag.

Thanks in advance,
Shane Corgatelli
shane@icserv.net

Comment on Problems with Sys::Syslog and taint

Replies are listed 'Best First'.
Re: Problems with Sys::Syslog and taint by mdillon (Priest) on May 16, 2000 at 00:12 UTC
Sys::Hostname tries to fall back to system utilities like 'hostname' and 'uname -n' to get the host name, so the problem probably has something to do with your $ENV{PATH}. i was able to get your code to work by adding the following line: `local %ENV = (PATH => '/bin');` [download] this should work under UNIX as long as 'uname' or 'hostname' is in '/bin'. a better way to make it work is to create "syscall.ph" for the systems you'll be using by running 'h2ph /usr/include/syscall.h'. however, upon testing, even this didn't fully avoid tainting problems on my system (GNU/Linux).	[reply] [d/l]
Re: Problems with Sys::Syslog and taint by guice (Scribe) on May 16, 2000 at 01:42 UTC
It's required that you untaint the ENV{PATH} when you run any system command line apps via system, exec ot anything of that nature. Doing: `local %ENV = (PATH => '/bin');` [download] Works like mdillon pointed out. It's actually better than what I was using which was: `local $ENV{'PATH'} = '/bin';` [download] His code will clear out ENV before it sets that path. Anyhow, localizing ENV and setting the PATH is required for tainted scripts that use system calls. This makes sure you don't have some path in the ENV that you don't know about and can be explioted by others. -- philip `We put the 'K' in kwality!`	[reply] [d/l] [select]
RE: Re: Problems with Sys::Syslog and taint by mdillon (Priest) on May 16, 2000 at 02:01 UTC
i decided to completely localize %ENV because taint mode was complaining about my $ENV{BASH_ENV}. i figured it was best to completely redefine the environment to avoid individual errors like this.	[reply]
RE: RE: Re: Problems with Sys::Syslog and taint by guice (Scribe) on May 16, 2000 at 19:57 UTC
What ever works, what I say :)	[reply]
Re: Problems with Sys::Syslog and taint by lhoward (Vicar) on May 16, 2000 at 00:17 UTC
The problem is probably with the Sys::Hostname module as described by mdillon above. You could try using the Unix::Syslog or Net::Syslog modules to get around this problem.	[reply]

Back to Seekers of Perl Wisdom