Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Taint error in Printer module

by ksublondie (Friar)
on Aug 04, 2017 at 17:05 UTC ( [id://1196741]=perlquestion: print w/replies, xml ) Need Help??

ksublondie has asked for the wisdom of the Perl Monks concerning the following question:

Hello all,

I'm migrating an intranet server from debian 6 to 9, and perl from 5.10 to 5.24. The web interface when prompted, prints to a dedicated printer. The only difference in the code on the new server is that I've had to set the print command because the default command in Printer is lpr, but for some reason, only lp works at the command line on the new server.

I've reset my $ENV{PATH}, but I'm still receiving taint errors when it tries to print. Of course, everything works just fine from the command line.

... use strict; use Printer; ... $ENV{'PATH'}='/usr/bin'; delete @ENV{'IFS','CDPATH','ENV','BASH_ENV','LPDEST','NPRINTER','NGPRI +NTER'}; ... sub print{ ... my $text=get_text(); my $prn=new Printer('linux' => '6L',); $prn->print_command('linux'=> type=>'pipe', 'command'=> 'lp -d 6L'}); $prn->print($text); }
The error I'm receiving is
Insecure $ENV{PATH} while running with -T switch File: /usr/local/share/perl/5.24.1/Printer/Unix.pm Line: 127
and so you don't have to look it up, the code for Printer::Unix.pm is:
use Env qw{PRINTER LPDEST NPRINTER NGPRINTER PATH}; #added the following to the original code $ENV{'PATH'}='/usr/bin'; delete @ENV{'IFS','CDPATH','ENV','BASH_ENV'}; ... #line 127 open PRINTER, "| $self->{print_command}->{linux}->{type}" or Carp::croak "Can't open printer connection to $self->{print_comma +nd}->{linux}->{command};
The Printer.pm versions are identical: 0.98.

Since I'm resetting ENV{PATH} and deleting all those others, what's going on here?

Update: For grins, I've hard-coded the default command in Printer to lp from lpr and I'm still getting the same error.

Update 2: The print command is working twice and failing on the third attempt. I've also reset ENV{PATH} for Printer.pm, along with Printer::Unix.pm and my code.

Replies are listed 'Best First'.
Re: Taint error in Printer module
by kcott (Archbishop) on Aug 05, 2017 at 06:29 UTC

    G'day ksublondie,

    What you've presented in your OP has all sorts of problems. Look at deleted @ENV{...): that should be delete not deleted; and the right parenthesis should be a right brace. You've also linked to Printer. The source code for that Module is quite different from what you've posted (as "the code for Printer is"): it has use Env qw(PATH), not the syntactically incorrect code you show (')' instead of '}' again); it also has no code which matches open PRINTER!

    The upshot of this is that we don't know what code you're really running, nor what module you're really using. As I'm sure you'll realise, this makes it difficult to help you.

    use, and sub definitions, occur at compile time. Your modification of $ENV{PATH} occurs at runtime. I suspect your problem is related to this.

    Your taint error is most often caused by a PATH ending with ':.'; although, any relative pathname could be the problem. There could be other reasons, too. I suggest you put code like the following at the very start of your program; immediately following the shebang line would probably be best.

    #!/usr/bin/env perl -T use strict; use warnings; BEGIN { use File::Spec; # To avoid "Insecure $ENV{PATH} while running with -T switch" $ENV{PATH} = join ':', grep { File::Spec::->file_name_is_absolute( +$_) } split /:/, $ENV{PATH}; # To ensure there's no dependency on these potentially insecure va +riables delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; }

    In case you didn't know, BEGIN occurs at compile time. By putting this code first, %ENV is modified before any other compile time actions.

    If you copy and paste code, you won't end up with the typographical errors (probably caused, at least in part, by entering by hand) that your OP has in multiple places. Also, please check that all links actually link to the indicated information, and any references accurately reflect the sources you provide.

    Update: Minor typo fix: s/you program/your program/

    — Ken

      I'll recheck the code in my OP...yes, I had to retype it because my code is not easily available to copy/paste into perlmonks.
        I had to retype it because my code is not easily available to copy/paste into perlmonks.

        Reduce your code to a MINIMAL example that still shows the problem. Usually, this will take something between 10 and 30 lines that can easily be posted here. Copy-and-paste the working example, don't introduce new errors by retyping.

        How to reduce, method 1: Strip off all code that is not relevant to the problem. Remove all modules and functions not related to the problem. Replace irrelevant calulations with fixed values. Replace confidential data with harmless made-up data.

        How to reduce, method 2: Start with a hello-world script or the synopsis from the documentation. Add the bare minimum required to exhibit the problem, copied from your main project. You will likely need to copy only a few lines.

        Alexander

        --
        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
      For clarification, the Printer module code I posted is from Printer::Unix.pm (the file mentioned in the error message received), not Printer.pm.

      Where do you suggest I add the code? To MY code? To Printer::Unix.pm or Printer.pm? I'm currently resetting $ENV{PATH} in all 3 files and still getting the taint error.

        OK, I can see how that might have been confusing. The module is Printer::Unix. It's bundled with Printer, rather than being provided as a separately distributed module. You can find it as follows:

        • At the top of the Printer page, you'll see a link to the distribution page: Printer-0.98.
        • That page has a number of links. Against the heading Special Files, you'll see a link to MANIFEST.
        • On the MANIFEST page, you'll see links to all the items that make up the distribution; lib/Printer/Unix.pm links to the source code for Printer::Unix.

        There's probably additional confusion because the source code for Printer has

        require Printer::Unix;

        but the source code for Printer::Unix has no package statement. The module is Printer::Unix but its namespace is Printer.

        The code I suggested should be added to your program as I originally stated: nothing has changed in that respect.

        As a general rule, you should not make changes to module code you've installed from CPAN. If you have made any changes, you should reverse them: if in doubt, reinstall the module.

        You should be able to create a SSCCE fairly easily. Start with code similar to what I suggested; add use Printer;; then your sub printX {...}; then a call to exercise it (printX(@args)).

        Important: Note that I used printX. You don't have to call it that; but do not call it print: that's the name of a core function (print) and could easily cause problems.

        The Printer module only works with a limited number of platforms that I don't have available. I'd be happy to look at your SSCCE code but I'm not in a position to run and test it.

        You should also change your current indirect object syntax:

        my $prn=new Printer('linux' => '6L',);

        to

        my $prn = Printer::->new(linux => '6L');

        See Indirect Object Syntax for an explanation. Note the emboldened text: "... use of this syntax is discouraged ...".

        — Ken

Re: Taint error in Printer module
by ksublondie (Friar) on Aug 04, 2017 at 17:23 UTC
    Holy. Hell.

    I changed $ENV{'PATH'} to $ENV{PATH} and it freaking works!

    ETA: Nevermind. It's still giving the same error...

      What is the actual error message as produced by perl? The one listed in your post isn't.

      What do you get with

      use Data::Dump qw/ dd /; dd( $prn );

      get_unique_spool makes use of a tainted $ENV{TEMP}

        This is a web interface and any generated errors are run through CGI::Application::dump().
        Public error message: Internal exception error Internal error message: + Insecure $ENV{PATH} while running with -T switch File: /usr/local/share/perl/5.24.1/Printer/Unix.pm Line: 129 ... Current Run mode: 'transactions_approve' ... Query Environment: CONTEXT_DOCUMENT_ROOT => '/var/www/html' CONTEXT_PREFIX => '' DOCUMENT_ROOT => '/var/www/html' GATEWAY_INTERFACE => 'CGI/1.1' HTTP_ACCEPT => '*/*' HTTP_ACCEPT_ENCODING => 'gzip, deflate' HTTP_ACCEPT_LANGUAGE => 'en-US' HTTP_CONNECTION => 'Keep-Alive' HTTP_COOKIE => 'CGISESSID=19ba4d2d00de2da0f433055d04e8745b' ... MOD_PERL => 'mod_perl/2.0.10' MOD_PERL_API_VERSION => '2' PATH => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/ +bin' ...
        I'm resetting ENV{PATH} and now ENV{TEMP} in Printer.pm, Printer::Unix.pm, and my code. Somehow It's still getting the wrong PATH. It will work once or twice, then fail.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1196741]
Approved by Perlbotics
Front-paged by beech
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2024-03-29 07:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found