[rt-users] Re: Insecure dependency with FastCGI
michael.firestone
michael.firestone at rule-of-ten.com
Mon Nov 17 09:48:59 EST 2003
I have seen this symptom in other contexts. Simply put, File::Path does not
play well with taint mode. In your case, the $path variable in the mkdir()
call is considered tainted. The only way around this I have ever found was
to create File::PathTaint which is a copy of File::Path, but includes some
really unpleasant taint cleaning ( usually something along the lines of:
my $clean_path;
$clean_path = $1 if ( $path =~ /^(.+)$/;
$path = $clean_path;
Yes, I know. It completely circumvents the idea of taint checking. But it
fixed the problem :)
Mik
Hanno Mueller writes:
> Hanno Mueller wrote:
>
>> I'm trying to install RT on a Debian Stable box. Since Debian doesn't
>> come with Perl 5.8 yet, I compiled my own 5.8.2. It runs Apache 1.3.26
>> with FastCGI.
>>
>>
>> I followed all the installation instructions for RT.
>
> [..]
>
>> I'm a bit stuck and the mailing list doesn't mention this problem for
>> recent versions. Yet, I cannot use RT with mod_perl on this particular
>> server.
>>
>> Any suggestions?
>
> I also tried to run 3.0.7 RC1 on the same box, no luck. Again, Perl
> complains about the mkdir() call.
>
> I've tried to untaint the CGI variables, but actually, I don't want to
> hunt for the symptom until I actually know the cause.
>
>
> Is anyone else running RT 3.0.6 as a CGI or as a FastCGI? I cannot install
> mod_perl on this server, so any help is greatly appreciated.
>
> Thanks,
>
> Hanno
>
>
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users
>
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
Mik Firestone
Vice Principal
Rule of Ten, Inc.
More information about the rt-users
mailing list