taint problems in utf8

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I seem to be getting some taint errors generated by utf8_heavy.pl in a SOAP::Lite server.

In SWASHNEW it appears the utf8_heavy works out a file path and then does a do on that file. However sporadically this is generating an Insecure dependency error on the line were the do is performed.

I've set some debug around the area its failing.

warn  "DJR attempting to do [$file]";
use Scalar::Util;
warn "DJR file variable is tainted ?". Scalar::Util::tainted($file);
            $list = do $file; # this is the original bit thats failing
[download]

This gives me the following in my error logs.

[Wed Aug 23 12:21:08 2006] null: DJR attempting to do
[unicore/lib/gc_sc/Word.pl] at /usr/lib/perl5/5.8.5/utf8_heavy.pl line
185.
[Wed Aug 23 12:21:08 2006] null: DJR file variable is tainted ?0 at
/usr/lib/perl5/5.8.5/utf8_heavy.pl line 187.
[Wed Aug 23 12:21:08 2006] [error] [Wed Aug 23 12:21:08 2006] null:
Insecure dependency in require while running with -T switch at
/usr/lib/perl5/5.8.5/utf8_heavy.pl line 188.\n
[download]

I'm not sure how I could be getting an Insecure dependency when the only thing being used in the do is the $file variable and Scalar::Util shows that variable to not be tainted.

I also occasionally get a similar problem where it attempts to process unicore/To/Lower.pl as the file, but in this case the $file variable is actually tainted.

Has anyone else experienced these problems and found a solution/workaround?

Thanks
Dave

Comment on taint problems in utf8_heavy Select or Download Code

Replies are listed 'Best First'.
Re: taint problems in utf8_heavy by shmem (Chancellor) on Aug 23, 2006 at 17:54 UTC
Maybe the insecure dependency is not a tainted `$file`, but something else. For instance, `@INC` is used by `do` and `require`. Has `@INC` eventually been pushed a tainted variable, somewhere? --shmem _($_=" "x(1<<5)."?\n".q·/)Oo. G°\ / /\_¯/(q / ---------------------------- \__(m.====·.(_("always off the crowd"))."· ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}	[reply] [d/l] [select]
Re^2: taint problems in utf8_heavy by duckyd (Hermit) on Aug 23, 2006 at 23:17 UTC
I'd suspect that it's not `$file` that's the issue, but rather the contents of the file. `do $file` will execute whatever code is in the file, and it's awfully hard to be sure there's not something malicious in there.	[reply] [d/l] [select]
Re: taint problems in utf8_heavy by graff (Chancellor) on Aug 24, 2006 at 01:59 UTC
I'm only guessing, but could it be a matter of the permissions on the file in question? One of the points made early in the perlsec man page is: ... Some of these checks are reasonably simple, such as verifying that path directories aren't writable by others... If the file being passed to "do" (or the directory containing it) is not "go-w" -- or if some other directory in @INC has this property, that might be the thing that needs fixing.	[reply]