stepamil has asked for the wisdom of the Perl Monks concerning the following question:

Hi PerlMonks,

I'm using SOAP::Lite to do some online payments. The whole mechanism is set on separate machine which is communicating with payment gateway. So WWW machine sends a message to invoke SOAP::Lite and SOAP message is sent to payment gateway.

In development I had both "machines" running on one (separate instances) and there was no problem, but the moment it went on two separate machines I got this error from SOAP::Lite :

Code execution error: Method [ method_name ] returned error: Insecure dependency in eval while running with -T switch at /usr/lib/perl5/site_perl/5.8.8/SOAP/Lite.pm line 3225

Any idea?

Milos

Replies are listed 'Best First'.
Re: SOAP::Lite - Insecure dependency in eval while running with -T
by Anonymous Monk on Mar 25, 2011 at 11:52 UTC
    splain/diagnostics/perlsec 
    Insecure dependency in eval while running with -T switch at
        /usr/lib/perl5/site_perl/5.8.8/SOAP/Lite.pm line 3225 (#1)
    (F) You tried to do something that the tainting mechanism didn't l
+ike.
    The tainting mechanism is turned on when you're running setuid or
    setgid, or when you specify -T to turn it on explicitly.  The
    tainting mechanism labels all data that's derived directly or indi
+rectly
    from the user, who is considered to be unworthy of your trust.  If
+ any
    such data is used in a "dangerous" operation, you get this error. 
+ See
    perlsec for more information.

    [download]
    http://search.cpan.org/grep?cpanid=MKUTTER&release=SOAP-Lite-0.712&string=taint&i=1&n=1&C=0

    What is SOAP/Lite.pm line 3225? On cpan it is 

    eval $self->generate_stub($_) or Carp::croak "Bad stub: $@";

    [download]
    But that doesn't match your error message , so upgrade SOAP::Lite :)
[reply]
[d/l]
[select]
[reply]
        • "Bad stub:" is not mentioned anywhere in OPs message
        • "Code execution error" doesn't appear in SOAP/Lite.pm
        • "returned error" doesn't appear in SOAP/Lite.pm
[reply]

      Hi, I tried the trick (added in new line 3363):

      sub generate_stub {
...

    $self->{'_stub'} = $1 if $self->{'_stub'} =~ /^(.*)/;
    return $self->stub;
}

      [download]

      and the error has changes . Now it's:

      Code execution error: Method [ method_name ] returned error: Bad stub:  at /usr/lib/perl5/site_perl/5.8.8/SOAP/Lite.pm line 3669

      which with moving one line bellow (adding the fix line) is:

      my %services = %{$self->schema->parse(@_)->load->services};

      So the fix won't do.

      As for the code example, I'll try to make something later during the day, but it's not so easy because I have XMLRPC web service calling SOAP service. And like I said, when it's on the same machine (but running on two different instances) everything's fine. When I put this SOAP to other machine I get this.

[reply]
[d/l]
[select]
        Well, sprinkle some warn statements here and there and figure it out :)
[reply]

      I "solved" the problem just by adding

      my $result = $1 if ($self->generate_stub($_) =~ m{^(.+)}s);

      before

      eval $result or Carp::croak "Bad stub: $@";

      which was previously

      eval $self->generate_stub($_) or Carp::croak "Bad stub: $@";

      and it works now. Not really elegant, but I need this urgently so it should do. Alfter that I'm getting this warning message:

      could not find ParserDetails.ini in /usr/lib/perl5/site_perl/5.8.8/XML/SAX

      Is this related?

[reply]
[d/l]
[select]

        Found the problem, it's not related

[reply]

      I am using 0.712 SOAP::Lite (sorry I didn't mention that), but the message is still there.

      Is there any way that I can untaint input args for the generate_stub method?

[reply]
        Is there any way that I can untaint input args for the generate_stub method?

        Don't know, can you give me something to debug , like a 6 line program that reproduces the error?

[reply]

Back to Seekers of Perl Wisdom