Taint problem with Kwiki::Modperl

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,
I'm trying to speed up a Kwiki install with Kwiki::ModPerl. My Apache is set to run as user 'nobody' and group 'nobody'.
Here is the relevant part of httpd.conf:

    <Directory "/usr/local/httpd/htdocs">
      Order allow,deny
      Allow from all
      Options Indexes ExecCGI
      SetHandler perl-script
      DirectoryIndex index.cgi
      PerlSetVar  KwikiBaseDir /usr/local/httpd/htdocs
      PerlHandler +Kwiki::ModPerl
    </Directory>
[download]

Unfortunately I get this error when accessing index.cgi:

Insecure dependency in eval while running setgid at /usr/local/lib/per
+l5/site_perl/5.8.2/Spoon/Registry.pm line 22.
    Spoon::Base::__ANON__('Insecure dependency in eval while running s
+etgid at /usr/loca...') called at /usr/local/lib/perl5/site_perl/5.8.
+2/Spoon/Registry.pm line 22
    Spoon::Registry::load('Kwiki::Registry=HASH(0x5d1e74)') called at 
+(eval 57) line 3
    Spiffy::__ANON__('Kwiki::Registry=HASH(0x5d1e74)') called at /usr/
+local/lib/perl5/site_perl/5.8.2/Spoon/Hub.pm line 43
    Spoon::Hub::preload('Kwiki::Hub=HASH(0x60d614)') called at /usr/lo
+cal/lib/perl5/site_perl/5.8.2/Spoon/Hub.pm line 32
    Spoon::Hub::process('Kwiki::Hub=HASH(0x60d614)') called at /usr/lo
+cal/lib/perl5/site_perl/5.8.2/Kwiki/ModPerl.pm line 70
    eval {...} called at /usr/local/lib/perl5/site_perl/5.8.2/Kwiki/Mo
+dPerl.pm line 70
    Kwiki::ModPerl::run called at /usr/local/lib/perl5/site_perl/5.8.2
+/Kwiki/ModPerl.pm line 31
    Kwiki::ModPerl::handler_mp2('Kwiki::ModPerl','Apache::RequestRec=S
+CALAR(0x517f14)') called at -e line 0
    eval {...} called at -e line 0
[download]

Any ideas how to solve this? This is an internal, authenticated site. Should I just turn off taint checking? I didn't see where it was turned on in the Kwiki code...

20050809 Janitored by Corion: Changed PRE tags to CODE tags, fixed formatting

Comment on Taint problem with Kwiki::Modperl Select or Download Code

Replies are listed 'Best First'.
Re: Taint problem with Kwiki::Modperl by ikegami (Patriarch) on Aug 09, 2005 at 15:52 UTC
I think it can be solved by untainting the constants returned by subs `registry_directory` and `registry_file` in Spoon::Registry. I don't see an easy way to do that. One could possibly override them -- they're called as methods -- or one could replace `registry_path`, the method that uses them, with one that returns an untained value: `{ my $registry_path = '/path/to/registry.dd'; my ($u_registry_path) = $registry_path =~ /(.)/; { no warnings 'redefine'; Spoon::Registry::registry_path = sub { $u_registry_path }; } }` [download]	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Taint problem with Kwiki::Modperl
by ikegami (Patriarch) on Aug 09, 2005 at 15:52 UTC

I think it can be solved by untainting the constants returned by subs registry_directory and registry_file in Spoon::Registry. I don't see an easy way to do that. One could possibly override them -- they're called as methods -- or one could replace registry_path, the method that uses them, with one that returns an untained value:

{
   my $registry_path = '/path/to/registry.dd';
   my ($u_registry_path) = $registry_path =~ /(.*)/;

   {
      no warnings 'redefine';
      *Spoon::Registry::registry_path = sub { $u_registry_path };
   }
}
[download]

[reply]
[d/l]
[select]