By default, Perl automatically enables a set of special security checks, called taint mode, when it detects its program running with differing real effective user or group IDs. You can also enable taint mode explicitly by using the -T command line flag.
In our case, CGI runs under the apache user, but the file owner is different, so by that statement I'd expect we'd run with taint mode by dafault. There seems to be no way to DISABLE taint mode, so its not really a "default" since default means that TAINT MODE can be disabled. I don't see a switch that disables TAINT mode.
But when I explicitly enable that pragma, the code immediately blows up with security errors, implying the default run mode is NOT taint-pragmatized.
Digging a bit deeper, the on-screen error was like:Software error: Insecure dependency in require while running with -T switch at /var/ww +w/cgi-bin/mycode/generic.cgi line 47. <code><p> and like 47 was like: <p><code> use myPackage;
which is a package of 1000's of lines. It seems odd taint complains about some "require" issue when it actually "use". And the package has no "requires" in it either. So an error like this is about as useful as telling the coastguard "there is a ship in some sort of distress, SOMEWHERE in the ocean!"..
Honestly, I believe the RIGHT thing to do is to run with TAINT mode. But in practice, with messages like this with no way to tell what to fix, its not useful. I'd be very interested in video journals or other guides that show how users remediate TAINT issues like these and others? Or is there a means to make taint mode VERBOSE?
In reply to Perlsec and taint mode? by misterperl
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |