Spurious "Insecure dependency" error in CGI.pm

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

If I run the code at the bottom from the command line eg

perl -T test.pl test=-

I get an Insecure dependency in require... error at line 533 of CGI.pm

If I instead use CGI qw/:standard/ (and remove all the $cgi->'s), the error goes away

If I remove the radio group from the example code, the error goes away

If I run the code from a web server and click the "+" button, I get the error, but running

perl -T test.pl test=+

from the command line does not produce the error

I have created a ticket in CGI.pm on cpan about this, and they suggested I ask here.

#!/usr/bin/perl -T
use CGI;
my $cgi = new CGI;

print 
  $cgi->header( -charset => 'utf-8' ),
  $cgi->start_html(),
    $cgi->start_form( -name => 'form' ),
      $cgi->table(
        $cgi->Tr(
          $cgi->td(
            $cgi->radio_group(
              -name    => 'testradio',
              -values  => [0..1],
              -labels  => { 0 => 0, 1 => 1 },
              -default => 0
            ),
          ),
          $cgi->td(
            $cgi->submit(
              -name  => 'test',
              -value => '+',
            ),
          ),
        ),
      ),
    $cgi->end_form,
  $cgi->end_html;
[download]

Comment on Spurious "Insecure dependency" error in CGI.pm Download Code

Replies are listed 'Best First'.
Re: Spurious "Insecure dependency" error in CGI.pm by Anonymous Monk on Sep 14, 2011 at 14:50 UTC
Use perlbug to report this bug in perl To fix CGI.pm use this patch `--- C:\perl\5.14.1\lib\CGI.pm 2011-06-03 08:36:31.000000000 -0700 +++ CGI.pm 2011-09-14 07:49:32.031250000 -0700 @@ -530,7 +530,7 @@ my $val = $QUERY_PARAM{$name}; # always an arrayref; $self->param('-name'=>$name,'-value'=> $val); if (defined $val and ref $val eq 'ARRAY') { - for my $fh (grep {defined(fileno($_))} @$val) { + for my $fh (grep {ref($_) and defined(fileno($_))} @$ +val) { seek($fh,0,0); # reset the filehandle. }` [download] No point in checking vals which aren't overloaded filehandles :)	[reply] [d/l]
Re^2: Spurious "Insecure dependency" error in CGI.pm by Anonymous Monk on Sep 14, 2011 at 15:00 UTC
I thought, maybe, for good measure, this patch also `@@ -820,7 +820,7 @@ # put a filehandle into binary mode (DOS) sub binmode { - return unless defined($_[1]) && defined fileno($_[1]); + return unless defined($_[1]) && ref ($_[1]) && defined fileno($_[ +1]); CORE::binmode($_[1]); }` [download] But this fix might trigger other bugs Needs more extensive testing :/	[reply] [d/l]
Re^3: Spurious "Insecure dependency" error in CGI.pm by Anonymous Monk on Sep 14, 2011 at 15:45 UTC
Thanks people! I have added the patch to the ticket on CPAN.	[reply]
Re: Spurious "Insecure dependency" error in CGI.pm by Anonymous Monk on Sep 14, 2011 at 14:14 UTC
I get an Insecure dependency in require... error at line 533 of CGI.pm I say this loud cause folks always to forget what version do you have? update:I see you have the latest, Bug #70935 for CGI: Spurious "Insecure dependency" error If it is a bug, it might also be a perl bug $ perl -Tle " print fileno shift" c $ perl -Tle " print fileno shift" 9999999999999999999999999 $ perl -Tle " print fileno shift" "<" $ perl -Tle " print fileno shift" ">" $ perl -Tle " print fileno shift" "+" Insecure dependency in require while running with -T switch at -e line + 1. BEGIN failed--compilation aborted. $ perl -Tle " print fileno shift" "-" Insecure dependency in require while running with -T switch at -e line + 1. BEGIN failed--compilation aborted. $ perl -Tle " print fileno shift" "*" [download]	[reply] [d/l]
Re^2: Spurious "Insecure dependency" error in CGI.pm by Anonymous Monk on Sep 14, 2011 at 14:25 UTC
In addition to + and - I also found that ! does it My test program `perl -MDDS -le " @a = qw/ perl -Tle print(fileno(shift)) -- /; for(0.. +1222){ push @a, chr $_; $r = system @a; $r and Dump\@a; pop @a; } "` [download]	[reply] [d/l]
Re^3: Spurious "Insecure dependency" error in CGI.pm by Anonymous Monk on Sep 14, 2011 at 14:38 UTC
Haha, this happens in both 5.14.1 and 5.12.2, funny $ perl -Tle " package SNOT; print(fileno(shift @ARGV)) ; use Data::Dum +per(); END{ warn Data::Dumper::Dumper(\%SNOT::);}" - Insecure dependency in require while running with -T switch at -e line + 1. BEGIN failed--compilation aborted. $VAR1 = { 'BEGIN' => SNOT::BEGIN, 'END' => SNOT::END }; $ perl -Tle " package SNOT; print(fileno(shift @ARGV)) ; use Data::Dum +per(); END{ warn Data::Dumper::Dumper(\%SNOT::);}" + Insecure dependency in require while running with -T switch at -e line + 1. BEGIN failed--compilation aborted. $VAR1 = { 'BEGIN' => SNOT::BEGIN, 'END' => SNOT::END }; $ perl -Tle " package SNOT; print(fileno(shift @ARGV)) ; use Data::Dum +per(); END{ warn Data::Dumper::Dumper(\%SNOT::);}" ! $VAR1 = { 'BEGIN' => SNOT::BEGIN, 'END' => SNOT::END }; [download] Comment in PP(pp_fileno) even funnier `731 if (!io \|\| !(fp = IoIFP(io))) { 732 /* Can't do this because people seem to do things like 733 defined(fileno($foo)) to check whether $foo is a valid + fh. 734 735 report_evil_fh(gv); 736 */ 737 RETPUSHUNDEF; 738 }` [download] I don't know what this means :)	[reply] [d/l] [select]
Re^3: Spurious "Insecure dependency" error in CGI.pm by Anonymous Monk on Sep 14, 2011 at 14:27 UTC
present in perl 5.14.1 and 5.12.2 but not 5.8.9	[reply]
Re: Spurious "Insecure dependency" error in CGI.pm by Anonymous Monk on Sep 21, 2011 at 08:04 UTC
What a bunch of cowflop :) ruzam noticed this bug in 2009! fileno, taint and CGI.pm And I replied in that thread also. There is even a bug report about it Bug #53733 for CGI.pm: CGI plus sign character taint problem But you don't see it unless you manually go to https://rt.cpan.org/Public/Dist/Display.html?Status=Active&Name=CGI.pm because its not the same as https://rt.cpan.org/Public/Dist/Display.html?Status=Active&Name=CGI Those two bug cues should be merged! Moooo	[reply]

what version