comment on

In our case, CGI runs under the apache user, but the file owner is different, so by that statement I'd expect we'd run with taint mode by dafault.

This is a misunderstanding. File ownership has nothing to do with that situation. This mandatory activation of taint mode happens as a consequence of a setuid (or setgid operation: Changing the user id of a process.

So an error like this is about as useful as telling the coastguard "there is a ship in some sort of distress, SOMEWHERE in the ocean!"..

It more precise than that. require is the first step of a use operation, and it is the most likely culprit. I guess that somewhere in your effective @INC path you have a directory which is considered insecure by taint checks. This can be as simple as a relative directory, because in most cases the return value of cwd (i.e. determining the current working directory) is tainted.

In reply to Re: Perlsec and taint mode? by haj
in thread Perlsec and taint mode? by misterperl

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.