Re: eval $fh while setuid...

The first place to turn when you want to understand a Perl diagnostic message is the perldiag documentation. For this error, it tells us:

       Insecure dependency in %s
           (F) You tried to do something that the tainting
           mechanism didn't like.  The tainting mechanism is
           turned on when you're running setuid or setgid, or
           when you specify -T to turn it on explicitly.  The
           tainting mechanism labels all data that's derived
           directly or indirectly from the user, who is
           considered to be unworthy of your trust.  If any such
           data is used in a "dangerous" operation, you get this
           error.  See the perlsec manpage for more information.
[download]

So, this code is reading in tainted data, and then trying to eval it. That's possibly very dangerous, so Perl doesn't let you do it.

I'm not sure whether this is module is something you've written... If you really want to stick with the eval approach, you can untaint the data before you eval it. (See perlsec for how to untaint data.)

However, it would be better if this config file were stored in a way that didn't require being evaled. For example, it could use one of the config modules from CPAN.

Comment on Re: eval $fh while setuid... Download Code

Replies are listed 'Best First'.
Re: Re: eval $fh while setuid... by PsychoSpunk (Hermit) on Aug 04, 2001 at 00:17 UTC
Thanks chipmunk, /me forgets the little things sometimes. I took your advice and reviewed all the links you provided. The real reason I hadn't thought about the config modules in CPAN was because I am using Data::Dumper to create the config file in the first place, also from within the web browser so that I don't have to go and muck with the file at all and I should be relatively guaranteed that it's valid perl (as long as it stays safely out of the evil hands of others). Thus, I figured that reading it in via eval would be a perfectly decent solution. ALL HAIL BRAK!!!	[reply]

Replies are listed 'Best First'.

Re: Re: eval $fh while setuid...
by PsychoSpunk (Hermit) on Aug 04, 2001 at 00:17 UTC

chipmunk

/me forgets the little things sometimes.

I took your advice and reviewed all the links you provided. The real reason I hadn't thought about the config modules in CPAN was because I am using Data::Dumper to create the config file in the first place, also from within the web browser so that I don't have to go and muck with the file at all and I should be relatively guaranteed that it's valid perl (as long as it stays safely out of the evil hands of others). Thus, I figured that reading it in via eval would be a perfectly decent solution.

ALL HAIL BRAK!!!

[reply]