bplatz has asked for the wisdom of the Perl Monks concerning the following question:

Has anyone run into a problem simlar to that shown below? If so does anyone know of a work-a-round? Thanks in advance!

Under Perl 5.8.0, I encounter insecure dependency error for PerlIO.pm with the following script when executed under Solaris with the real uid != effected uid: 

#!/bin/perl

use XML::SAX::Pipeline;
use XML::Filter::BufferText;

my $filter = XML::Filter::BufferText->new();
my $machine = XML::SAX::Pipeline->new($filter);

$machine->parse_file(\*STDIN);

[download]

Error Message: 

Insecure dependency in eval while running setuid at /opt/perl58/lib/5.
+8.0/PerlIO.pm line 22.
BEGIN failed--compilation aborted.

[download]

Other than using perl's -U option, I cannot figure out how to get around this problem. It appears that the root of the problem is with PerlIO.pm's use of a tainted variable inside a "require" statement, at line 22. This problem seems to exist with the latest version of Perl 5.8 as well (I downloaded and unpacked it, just to see if there was a difference, and there isn't).

Replies are listed 'Best First'.
Re: Perl 5.8.0 PerlIO insecure dependency
by tachyon (Chancellor) on Apr 13, 2004 at 01:09 UTC

    Here is the code in question from PerlIO.... 

    sub import
{
 my $class = shift;
 while (@_)
  {
   my $layer = shift;
   if (exists $alias{$layer})
    {
     $layer = $alias{$layer}
    }
   else
    {
     $layer = "${class}::$layer";
    }
   eval "require $layer";   # line 22
   warn $@ if $@;

    [download]

    It would seem reasonable to add: 

    $layer = $1 if $layer =~ m/^([\w:]+)$/;

    [download]

    Just before the eval to untaint it safely. That should allow everything through that needs to come through. It is a resonable patch I would have thought. It may however just allow stuff to break elsewhere.

    Does your script really need to be suid in the first place?

    cheers

    tachyon

[reply]
[d/l]
[select]
      I don't think so. That would allow stuff like 
      E:\>set TAINTED=crlf

E:\>perl -T -e"use PerlIO $ENV{TAINTED};"
Insecure dependency in eval while running with -T switch at G:/Perl/li
+b/PerlIO.pm line 22.
BEGIN failed--compilation aborted at -e line 1.

      [download]
      to slip through, when it clearly shouldn't.

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]

        Actually there is nothing wrong with the behaviour you would get with the patch and your test case (removing the -T to simulate the effect of the patch as crlf will match ^[\w:]+$ 

        [root@devel3 root]# TAINTED=crlf;export TAINTED
[root@devel3 root]# perl5.8.3 -e 'print $ENV{TAINTED},$/;'
crlf
[root@devel3 root]# perl5.8.3 -e 'use PerlIO $ENV{TAINTED};'
Can't locate PerlIO/crlf.pm in @INC (@INC contains: /usr/local/lib/per
+l5/5.8.3/i686-linux-thread-multi /usr/local/lib/perl5/5.8.3 /usr/loca
+l/lib/perl5/site_perl/5.8.3/i686-linux-thread-multi /usr/local/lib/pe
+rl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl .) at (eval 1) lin
+e 3.
[root@devel3 root]#

        [download]

        All that patching it to untaint \w: chars does is allow you to call an artitrary PerlIO::Widget::Whotnot. That module still has to exist or it will just explode.

        You could make a good argument for a patch like: 

        corak "No way hosay...." unless $layer =~ m/^([\w:]+)$/;
$layer = $1;
eval "....

        [download]

        cheers

        tachyon

[reply]
[d/l]
[select]
      Yes, the code in which this excerpt appears does need to be run setuid, until it reads a configuration file, after which it revers back to uid == euid. By the time it reaches the code in question, uid == euid, but the error appears at BEGIN time, not runtime. I am aware of how to untaint variables, but was curious if anyone else has seen this or reported it to perl.org. Tonight I submitted a bug report to perl.org. Let's see what kind of reply I get from them. Thanks again!
[reply]

Back to Seekers of Perl Wisdom