in reply to Re: disable taint for just one sub
in thread disable taint for just one sub

as requested (sorry for forgetting it) here's the errormessage netscape gives, because of `use CGI::Carp qw/fatalsToBrowser/;`: 
Content-type: text/html
Software error:
Insecure dependency in bind while running with -T switch at /usr/local
+/lib/perl5/site_perl/5.6.1/Net/Printer.pm line 534.

[download]

It's the same, what apache's log file says: 
[Tue Jul 24 11:30:17 2001] addXmail.pl: Insecure dependency in bind wh
+ile running with -T switch at /usr/local/lib/perl5/site_perl/5.6.1/Ne
+t/Printer.pm line 534

[download]

The script ist invocing the module by `$result = $lineprinter->printfile();' with the variables defined before (take a look above!), which is calling the module above, here is what the concerning line 534 of the module tries: 
    if (!(bind($sh, $this))) {
        return "Printer: Error: Cannot bind socket: $!\n";
    } # if !bind($sh, $this)

[download]

I don't have any idea, what bind does. Have you?
there are no silly questions
killerhippy

Replies are listed 'Best First'.
(ichimunki) Re x3 : disable taint for just one sub
by ichimunki (Priest) on Jul 24, 2001 at 15:37 UTC
    bind() binds a keymap to a readline function or macro (so sayeth the BASH info pages anyway-- I've never used it). My guess is that the module is picking up values for $sh or $this from the environment or from system calls at some point in the process. And indeed looking at the source for Net::Printer verifies something like this is happening.

    In at least one spot it is relying on assigning the return value from a backticked `hostname` command (both in the OpenSocket and printfile functions). My suggestion would be to fork the Net::Printer module for your local install (just give it a new name and put it in the directory with your script and use as you would any other of your own modules). You can then go through and either hardcode the correct results for these system calls or add taint checking (for valid hostname returned values) (or just detaint the $hostname variables without checking them-- it seems to me that anyone who can cause an insecure hostname return value has already compromised the system).

    If you manage to get a taint-safe version made without hardcoding your hostname into the script, consider sending a patch to the package maintainer.

    UPDATE: ariels is right, and I am officially red-faced about it. The bind in use by Net::Printer is something else entirely from what I described, but it still sounds like a thinly veiled system call to me (this socket binding stuff). As such it would be dangerous to do it with tainted inputs, and the crux of your problem remains the same, either replace the system call to hostname with hardcoded data, introduce hostname detainting into the module, or simply replace the backticked system call with "use Sys::Hostname; my $hostname = hostname();".
[reply]
      No, Net::Printer uses the builtin CORE::bind, which binds a socket to a port.

      I'm not sure why OP is having the tainting trouble at that line, however. Could you also give the context of the call? That is, how your program is calling the routine that fails, and where each variable in the call comes from.

[reply]
        The code is pretty simple, from the script' s view it is like this: 
        $file = "/tmp/emaildata." . time . ".txt";

..code to file the file with data..

$lineprinter = new Net::Printer(
                                  filename    => $file,
                                  printer     => "lpr",
                                  server      => "172.16.0.166",

                                  port        => 515,
                                  lineconvert => "YES"
                                );
$result = $lineprinter->printfile();

        [download]
        so it might be the $file, which is making trouble, isn't it? -- there are no silly questions killerhippy
[reply]
[d/l]

In Section Seekers of Perl Wisdom