using LWP in Taint Mode

hoops99 has asked for the wisdom of the Perl Monks concerning the following question:

Hi, Ive been trying out the LWP module to post data to another server and get a response from that server which is then printed to the users screen.. I can get the the program to run from the commandline but when I run it from the web (cgi) it fails as follows:

Insecure Dependency in require while running with -T switch 501 Can't locate object method "new" via package "LWP::Protocol::http"

If I do the unwise thing and remove the -T switch then it will work in CGI mode.. My question is "whats going on?".. Is the error due to a tainted string being added to @INC or is the LWP response handler at fault? How do I test these and consequently fix them? Maybe in CGI mode it cant find the LWP module? Any help appreciated. Thanks

Comment on using LWP in Taint Mode

Replies are listed 'Best First'.
Re: using LWP in Taint Mode by dorko (Prior) on Jul 11, 2005 at 11:55 UTC
hoops99, Try adding the line: `use CGI::Carp qw(fatalsToBrowser);` just before your `use LWP;` line (or however you're loading LWP). It should print fatal errors to the browser as well as the log. Alternatively, check your web server logs to see what's happening. Cheers, Brent -- Yeah, I'm a Delt.	[reply] [d/l] [select]
Re: using LWP in Taint Mode by rev_1318 (Chaplain) on Jul 11, 2005 at 14:38 UTC
Is it possible to show a mininal piece of code which reproduces this behavour? Without it it will be guessing what's wrong... Paul	[reply]
Re^2: using LWP in Taint Mode by hoops99 (Initiate) on Jul 11, 2005 at 15:24 UTC
Hi Paul, Apologies for lack of code.. Ive just found the problems with the code. I was using CWD and getpwuid($<) to get the users working directory and ID. It turns out that in taint mode this will cause an error. I was looking at a red herring when the script suggested the error was in LWP. Thanks for all your help. ---------------- snippet of code: #!/usr/local/bin/perl -wT ## include modules use strict; use CGI qw(:cgi); use Cwd; use LWP::UserAgent qw(!head); use vars qw($VERSION @WEBADMIN_SERVERS); ## initialise variables $ENV{'PATH'} = "/bin:/usr/bin"; delete @ENV{qw(CDPATH IFS BASH_ENV)}; my $dir = Cwd; my ($login,$pass,$uid,$gid) = getpwuid($<);	[reply]