Taint check tripped since perl 5.10

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I am running a perl handler in apache 2.2.11 / mod_perl 2.0.4 / perl 5.10.0 (debian lenny). Since I updated from etch / apache 2.2.9 / perl 5.8.8 yesterday I am getting the following warnings in my handler (the handler itself is unchanged): Insecure dependency in require while running with -t switch Insecure dependency in eval while running with -t switch The routine where the warnings occur just contains an eval() using Safe.pm (permitting only very basic operations). I untaint the code before eval'ing. According to perlsec the "Insecure dependency in require" occurs when there is a tainted value in @INC. Since I dont change @INC in my handler and the eval() doesnt contain any use(), require() or do(), I dont understand whats wrong here. It would be nice if someone could point me in the right direction.

Comment on Taint check tripped since perl 5.10

Replies are listed 'Best First'.
Re: Taint check tripped since perl 5.10 by Anonymous Monk on Feb 25, 2009 at 11:25 UTC
Since I dont change @INC in my handler and the eval() doesnt contain any use(), require() or do(), I dont understand whats wrong here Then find out who/what changed @INC, because its tainted. `use Scalar::Util(); printf "T(%d)(%s)\n",Scalar::Util::tainted($_),$_ for @INC;` [download]	[reply] [d/l]
Re^2: Taint check tripped since perl 5.10 by Anonymous Monk on Feb 27, 2009 at 09:35 UTC
I tried that and Scalar::Util::tainted returns 0 for all members of @INC. Is there a possibility to get the warning (Insecure dependency in require while running with -t switch) without @INC being tainted?	[reply]
Re^3: Taint check tripped since perl 5.10 by ikegami (Patriarch) on Feb 27, 2009 at 13:30 UTC
You also get that error if the value passed to `require` is tainted.	[reply] [d/l]
Re: Taint check tripped since perl 5.10 by JavaFan (Canon) on Feb 25, 2009 at 11:16 UTC
The obvious thing to do is to upgrade only one component at a time, not three.	[reply]
Re^2: Taint check tripped since perl 5.10 by Anonymous Monk on Feb 25, 2009 at 12:54 UTC
Sorry for the unformatted mess in my first post. The update from etch to lenny contained to update from perl 5.8.8 to perl 5.10.0 so I actually did just two upgrades at once, not three. Thanks for the answers. I had hoped that there might have been a change with perl 5.10 that caused this issue. I guess they just have improved the taint check so my formerly working but deficient code comes back to haunt me. I added a check and debug output for @INC so I will now have to wait until the issue occurs again (it doesnt regularly).	[reply]