update: Another thing you can do if you run up against an error you don't understand is that you can use the diagnositics pragma or splain and just paste the error in. Here is what splain printed for your error:

Insecure dependency in require while running with -T switch at index.cgi line 88 (#1)
(F) You tried to do something that the tainting mechanism didn't like. The tainting mechanism is turned on when you're running setuid or setgid, or when you specify -T to turn it on explicitly. The tainting mechanism labels all data that's derived directly or indirectly from the user, who is considered to be unworthy of your trust. If any such data is used in a "dangerous" operation, you get this error. See perlsec for more information.

-enlil

What's line 88 anyway?

Cheers - L~R

Line 88 is this:

require "$Page_Loc/$pg.conf";
[download]


It is basically just the "page" coding, the actual content is stored in a database. I am just pulling in the Perl syntax for that page, IF it exists:


if (-e "$Page_Loc/$pg.conf") {
# line 88 above ;o)
}
[download]


I guess, I MIGHT have to put them all into the main system, and just use the page names as sub routines, and run them when that page is called... Or is there a different way to avoid getting that error?

I am just not checking out that link the other person, Enlil I think, posted. Thanks everyone.


Richard

powerhouse,
The problem is that you are requiring a file from tainted data. You will have to Untaint $pg first. I am not sure I would be doing it the same way you are if I was concerned about security.

Cheers - L~R

Are you trying to setgid or setuid? There are a few ways possible to get this particular error message.
Why not show us the code? We may be able to offer better assistance.

Kristofer Hoch

Si vos can lego is, vos es super erudio

here is the code:

$Page_Dir = "/home/some/backend/pagez";
$pg = $in{pg};
$pg = "home" if !$pg;
    if (-e "$Page_Dir/$pg.conf") {
        require "$Page_Dir/$pg.conf";
    }
($page_content,$title) .= run_page_mill($pg);
# above line checks the database for the
# page title and content
[download]

That is the only part appearing to give me any trouble...
I think I might be calling the content too late, I might have to call it BEFORE the functions, so that the require will already have the page content.

thx,
Richard

Where did the values in your hash %in come from? I they came into the program from an external source (as is implied by the name:) then they will be tainted and you will need to un-taint them before your can use them as part of the filename you supply to require.

The theory goes that as require is nothing but a sophisticated eval, then the 'bad guy' can place his evil requirements in a file /home/some/backend/pagez/wicked.conf, supply the name 'wicked' to your program and and you will run whatever bad stuff he puts in there.

---

Examine what is said, not who speaks.
"Efficiency is intelligent laziness." -David Dunham
"When I'm working on a problem, I never think about beauty. I think only how to solve the problem. But when I have finished, if the solution is not beautiful, I know it is wrong." -Richard Buckminster Fuller

I'm no expert on this sort of thing, but given the circumstances, I would prefer to do it as follows:

# assume $Page_Dir assigned as per your post
opendir CONF, $Page_Dir;
my @conf_files = grep /\.conf$/, readdir( CONF );
closedir CONF;

($pg) = grep /^$in{pg}.conf$/, @conf_files;
if ( $pg ) {
    require "$Page_Dir/$pg";
}
...
[download]

The point here is that the "require" statement is based entirely on information that is internal to the server -- input from a cgi form is only used to decide which known file name is being passed to "require" -- if user input does not match a safe, untainted string, it cannot have any bad side-effect.